a momentary lapse of reason

Configure the TPM

The final step is to enroll a decryption key in your TPM and configure it to automatically unlock your system. Once this is done, systemd will be able to query the TPM for the decryption key so long as the SecureBoot state is verified.

All steps in this section need to be run from a terminal window.

Install tpm2-tools

You need some helper libraries to configure your TPM. Install them with the following command:

sudo pacman -S tpm2-tools

Identify your root partition

You need to know which partition on your hard drive is the root. Check your system's partition table with the following command:

sudo lsblk

You will see an output that looks like this:

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0 931.5G  0 disk  
├─nvme0n1p1 259:1    0     1G  0 part  /boot
└─nvme0n1p2 259:2    0 930.5G  0 part  
  └─root    254:0    0 930.5G  0 crypt /

As you can see, on my system the root partition is nvme0n1p2. These are all accessed through the /dev interface on a Linux system (for Devices), so the full name of my root partition is /dev/nvme0n1p2. All steps in this section will use this as the name for the device. If it is different on your system, you need to substitute the correct location.

Check that your system can see your TPM

Check that systemd can see your TPM and query it. This will work without any additional configuration on most modern computers. Query it with the following command:

sudo systemd-cryptenroll --tpm2-device=list

You should see an output that looks something like this:

PATH        DEVICE     DRIVER 
/dev/tpmrm0 IFX0785:00 tpm_tis

Check the TPM status

Next, you need to make sure that your TPM can be used. Run the following command to check the state:

sudo tpm2_getcap properties-variable

You should see an output like this:

TPM2_PT_PERMANENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            0
  reserved1:                 0
  disableClear:              0
  inLockout:                 0
  tpmGeneratedEPS:           0
  reserved2:                 0
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
  shEnable:                  1
  ehEnable:                  1
  phEnableNV:                1
  reserved1:                 0
  orderly:                   1

We're interested in any of the options with Auth in their name, and the disableClear entry. If any of these say 1, you need to first clear your TPM in the UEFI BIOS. The instructions for how to do this are outside of the scope of this document: please consult with your computer manufacturer's documentation.

If you have an existing Windows installation, erasing the keys will prevent it from being able to automatically decrypt the hard drive. It can reenroll in the TPM next time you boot, but make sure that you have saved the Windows recovery key before erasing the TPM.

Generate recovery keys

This step is optional, but is strongly recommended. If your TPM is ever corrupted and you have erased your password from the partition (the last step in this guide), your computer will be unrecoverable without recovery keys. When you generate a recovery key you should save it in a safe place, for example on another computer, network-attached storage, or as a printed copy in a safe place in your home. Ideally save it in multiple locations. Generate the key with the following command:

sudo systemd-cryptenroll --recovery-key /dev/nvme0n1p2

Check the output that is generated. It should generate a QR code you can scan with your phone to quickly copy/paste the key into an e-mail. It will also show the recovery keys on screen so they can be saved or printed from your computer.

Generate a TPM decryption key

Finally, we can generate a TPM decryption key for your hard drive. Run the following command:

sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2 --tpm2-pcrs=7

The --tpm2-pcrs option tells SecureBoot what to validate before unlocking the encryption key that you are saving in the TPM. Here, we have chosen the SecureBoot state (SecureBoot is enabled, and your boot image is cryptographically signed using the keys you generated in the last section). This should be good enough for most installations, but SecureBoot supports many different metrics it can compare against before unlocking the TPM. If you wish to add more options, separate them with a +. e.g: --tpm-pcrs=0+7 For more information, click here

Reboot your computer, use it for a few days

Once you have generated a TPM key, reboot your computer. If everything worked, you should no longer need to enter your password to unlock the hard drive. I strongly advise that you use your computer for a few days and power off your computer several times during this time so that you can be confident that the TPM will unlock your hard drive every time before proceeding to the final step.

Erase your unlock password

This is optional, but is strongly recommended as your unlock password is the weakest link in your full disk encryption. As a general rule of thumb with passwords, if you can remember it then it isn't secure. It may be something that's guessable (and no, obfuscating it with leet speak doesn't make it unguessable), and it's almost certainly short enough that a determined hacker with enough time can figure it out. Somebody with physical access to your computer can always remove your hard drive and make an image of it to attack offline, then put your computer back together and you would never know it had been compromised. In cybersecurity, we call this an Evil Maid Attack.

Because of this, the final step in securing your fully encrypted system should be to delete your password from the encrypted volume. When you are confident that your TPM is working reliably, erase the password using the following command:

sudo systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=password

Back to Top