我有一台 Ubuntu 20.04 机器设置,我正在尝试配置它以进行磁盘加密。我正在尝试设置自动解锁,但我的配置到目前为止还不起作用,并且总是提示我输入密码。
为此,我按照以下步骤操作:
sudo apt-get update
和sudo apt-get install cryptsetup
- 检查 /dev/nvme0n1p3 ->
sudo cryptsetup luksDump /dev/nvme0n1p3
-> 没有令牌或键槽 - 安装
clevis
,clevis-luks
,clevis-dracut
,clevis-udisks2
,clevis-systemd
,clevis-tpm2
sudo clevis luks list -d /dev/nvme0n1p3
-> 空echo <my password> | sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }'
sudo dracut -fv --regenerate-all
- 检查
sudo clevis luks list -d /dev/nvme0n1p3
->1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"7,11"}'
lsblk -o NAME,UUID,MOUNTPOINT
->
├─nvme0n1p1 <uuid1> /boot/efi
├─nvme0n1p2 <uuid2> /boot
└─nvme0n1p3 <uuid3>
└─dm_crypt-0 <uuid4>
└─ubuntu--vg-ubuntu--lv <uuidd5> /
cat /etc/crypttab
->dm_crypt-0 UUID=<uuid3> none luks
启动时,我没有注意到 cryptsetup、luks、tpm2 出现任何错误。谷歌搜索并检查其他问题,我也验证过:
sudo systemctl enable clevis-luks-askpass.path
update-initramfs -c -k all
-> 运行成功
我的 fstab 文件实际上并未列出加密分区:
cat /etc/fstab
->
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/<Some id which I don't know the origin of> / ext4 defaults 0 1
# /boot was on /dev/nvme0n1p2 during curtin installation
/dev/disk/by-uuid/<uuid2> /boot ext4 defaults 0 1
# /boot/efi was on /dev/nvme0n1p1 during curtin installation
/dev/disk/by-uuid/<uuid1> /boot/efi vfat defaults 0 1
/swap.img none swap sw 0 0
我也尝试过手动将分区添加到 fstab 但没有成功。
无论我尝试什么,它总是在启动时要求输入密码。
我可以做什么来解决这个问题?
答案1
我失踪了:clevis-initramfs
需要安装。添加后,自动解锁器就起作用了。