Moin, Am Sonntag, 28. November 2021, 12:20:44 CET schrieb Ulf Bartholom�us:
Excuse my first wrong reply :-(
Am Donnerstag, 25. November 2021, 17:33:44 CET schrieb Benjamin Brunner:
we had a look on how to move from LUKS v1 to LUKS v2 and also how to add functionality for alternative authentication mechanisms like TPM2 chips and FIDO devices during the boot process.
Will be really interesting for me as user. On my Notebook, I've encryption installed (root, home and swap). But the problem is, that the key must be typed in at least two time (on grub and on boot up). Especially this on boot up is not well working with an German Keyboardlayout (so e.g. z <-> y are placed differently, and if it used in the keyboard you must use different letters on grub and boot) :-(
That's not a big problem, if you aware about it, but it takes some time to find it out.
See https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_... to avoid the second entry. The first is still done with the wrong keyboard layout though.
While there is no Installer support yet and also no final decision on how it will be implemented in detail, we already wanted to share the current status and document what is achievable manually.
That's nice. If you need a tester - please let me know.
For all interested and curious who would like to have a look or want to directly test it, Antonio Feijoo <antonio.feijoo@suse.com> prepared some step by step guides at https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2.
The documentation should work on Tumbleweed and later on openSUSE Leap 15.4.
OK, the main issue at my side is, that my system seams to be encrypted with LUKS1 - so I check, if I can update/upgrade it with low risk on my Notebook. But at first I will do a image of the main required partitions to be able easily to replace them.
You can upgrade with fairly low risk (cryptsetup luksConvert works both ways), but the approach in the wiki article requires that the /boot partition is not encrypted, which is likely to require bigger changes on your system. It should also be noted that the /boot contents are not verified during boot (just the kernel through secure boot, if enabled), so it doesn't really provide any protection against physical access.
We would really appreciate any feedback, thoughts, or reports in case you encounter any issues.
I let you know. If it works well on my notebook. Question, is there any easy possibility to check if the TPM2 is properly detected at Linux? I searched on it, but no finding till now.
cat /sys/class/tpm/tpm0/tpm_version_major should print "2". Cheers, Fabian
Last but not least, a huge thanks to all involved for the feedback and support!
Many thanks for your work/proposal :-)
Ulf