Ubuntu 20.04 自动安装程序 UEFI 全盘加密

Ubuntu 20.04 自动安装程序 UEFI 全盘加密

我编写了此用户数据以在 UEFI 服务器上安装 Ubuntu 20.04。

#cloud-config
autoinstall:
  update: yes
  early-commands:
    - systemctl stop ssh
  apt:
    geoip: true
    preserve_sources_list: false
    primary:
    - arches: [amd64, i386]
      uri: http://fr.archive.ubuntu.com/ubuntu
    - arches: [default]
      uri: http://ports.ubuntu.com/ubuntu-ports
  packages:
    - modemmanager
    - network-manager
    - socat
  identity: {hostname: edgegateway, password: verysecure,
    realname: Cyril, username: cyril}
  keyboard: {layout: fr, toggle: null, variant: ''}
  locale: en_US
  network:
    ethernets:
        eth0: { dhcp4: true, dhcp-identifier: mac, optional: true }
        eth1: { dhcp4: true, dhcp-identifier: mac, optional: true }
    version: 2
  ssh:
    allow-pw: true
    authorized-keys: ['ssh-rsa ....']
    install-server: true
  storage:
    config:
    - {ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', 
      grub_device: false, type: disk, id: disk-sda}
    - {device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1,
      preserve: false, grub_device: true, type: partition, id: partition-0}
    - {fstype: fat32, volume: partition-0, preserve: false, type: format, id: format-0}
    - {device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2,
      preserve: false, type: partition, id: partition-1}
    - {fstype: ext4, volume: partition-1, preserve: false, type: format, id: format-1}
    - {device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3,
      preserve: false, type: partition, id: partition-2}
    - {volume: partition-2, key: 'verysecure', preserve: false, type: dm_crypt,
      id: dm_crypt-0}
    - name: ubuntu-vg
      devices: [dm_crypt-0]
      preserve: false
      type: lvm_volgroup
      id: lvm_volgroup-0
    - {name: swap, volgroup: lvm_volgroup-0, size: 8G, preserve: false, type: lvm_partition,
      id: lvm_partition-0}
    - {fstype: swap, volume: lvm_partition-0, preserve: false, type: format, id: format-4}
    - {name: ubuntu-lv, volgroup: lvm_volgroup-0, size: -1, preserve: false,
      type: lvm_partition, id: lvm_partition-1}
    - {fstype: ext4, volume: lvm_partition-1, preserve: false, type: format, id: format-3}
    - {device: format-3, path: /, type: mount, id: mount-3}
    - {device: format-4, path: '', type: mount, id: mount-4}
    - {device: format-1, path: /boot, type: mount, id: mount-1}
    - {device: format-0, path: /boot/efi, type: mount, id: mount-0}
    swap: {swap: 0}
  version: 1

第一次启动时,我运行一个脚本来设置 TPM 中的密码:

apt update
apt dist-upgrade -y
apt install -y clevis-luks clevis-tpm2 luksmeta tpm-udev tpm2-tools
password="verysecure"
clevis luks bind -f -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' <<< $(echo $password)
echo $password |clevis encrypt tpm2 '{"pcr_ids":"8,9"}'
apt install -y clevis-initramfs

一切运行良好,但还不够安全。

  • 如何加密 /boot?我想我只需要删除{device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, type: partition, id: partition-0}{device: format-1, path: /boot, type: mount, id: mount-1}
  • 如何处理 Grub?它能从 TPM 中检索密码吗?
  • 我需要为 Grub 设置一个 TPM 密码,并为 Luks 设置另一个密码吗?

提前感谢您的回答/代码片段

答案1

只需按照以下 URL 中的“以存储在 TPM2 中的密码作为保护器的 LUKS 磁盘加密方案”部分进行操作即可:https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html

相关内容