[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option

Christopher Hall 1980018 at bugs.launchpad.net
Thu Sep 29 13:23:10 UTC 2022 

>Having encryption on everything is still nice, as you can be less
paranoid when it comes to recycling drives.

Its not just convenience.  There is a big increase in security because
there is a MASSIVE technical skill gap between someone being able to
exploit a situation where someone has to manipulate an initramfs to
fetch tpm stored keys, and someone simply walking off with unencrypted
drives or booting a usb and mounting them, finding you key file for
encrypted drives sitting around on other  more-removable media. How many
people can do the latter and how many people can do the former?

If you think of it on a gradient, its like 0-10 security are allowed,
but its not worth properly implementing 8 because its not 10. Even if
it's not a 10 right now, make it a proper 8 and then push to 10.

Looking over Mcelderderry's code it seemed trivial to do.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018

Title:
  Cryptsetup-initramfs cant deal with tpm2-device option

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  In order to boot an encrypted system and autounlock with tpm2, the
  tpm2-device= option must be specified in  /etc/crypttab. This works
  for non-root filesystems for some reason, but when applied to root
  filesystems it doesnt. Tested working on both arch and fedora, so the
  method is good, something is off in the background.


  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

  
  Manually adding it to  /lib/cryptsetup/functions produces this

  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  /usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found

  
  That file belongs to cryptsetup-initramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions

More information about the foundations-bugs mailing list