I recently picked up a new Framework laptop to replace my aging Chromebook, so I’m back on a “real” Linux laptop for the first time in nearly a decade.
This time, though, I’m running Fedora, so all the work above gets replaced with a single checkbox in the installer!
But my new laptop has a TPM chip, so I can make this even more painless using
The Fedora installer prompts for a passphrase which I have to enter at every boot. But, if the
system hasn’t changed significantly (e.g. from UEFI firmware or Linux kernel updates), then the TPM
chip can handle unlocking things on my behalf.
I found a fedora-users mailing list post that gave me the most succinct version of things to get working. Key parts:
systemd-cryptenroll --tpm2-device=auto -tpm2-pcrs=0+7 /dev/$DEVICEto enroll an additional token to unlock the LUKS volume. In my case,
/dev/nvme0n1p3, but your mileage may vary. This would be the block device backing your LUKS volume.
lsblkshould make it clear.
/etc/crypttab, and change the end of the one line (starting with
- Until Fedora uses Dracut 056 (see #1976462),
you need to create a file called
/etc/dracut.conf.d/tss2.conf, with this in it:
install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
sudo dracut -f
- Reboot, and enjoy a fancy secure boot experience!
Of course, if your threat model includes state actors or the like, this may not be the right choice to make, but if you’re just wanting to make sure that your system is relatively secure if stolen, and that your boot disk is basically gibberish whenever you dispose of it some day, then I think this is a pretty good compromise.