From Fedora Project Wiki
m (→Description) |
mNo edit summary |
||
| Line 23: | Line 23: | ||
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE | clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE | ||
Reboot the system and see if it is booted without user intervention. | |||
= Results= | = Results= | ||
# The installed system should boot to log in without needing the passphrase for the encrypted filesystem. | |||
Revision as of 19:46, 31 March 2020
Description
A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).
Setup
Install a system with an encrypted root filesystem. See this testcase for further details.
How to test
Verify decryption is working via TPM2
echo foo | clevis encrypt tpm2 '{}' | clevis decrypt
Get the UUID of the encrypted device
UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1) DEV=$(blkid --uuid $UUID)
Check encryption details of the device
cryptsetup luksDump $DEV
Verify the passphrase before setting
cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct
Setup Clevis to decrypt via TPM2 on boot
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE
Reboot the system and see if it is booted without user intervention.
Results
- The installed system should boot to log in without needing the passphrase for the encrypted filesystem.