PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Add TPM

Browse Source 
Signed-off-by: samsepi0l <74207682+d4rklynk@users.noreply.github.com>
This commit is contained in:
samsepi0l 2022-12-26 14:47:49 +01:00 committed by GitHub
parent 71bcdc1eaa
commit 41f92b50dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -21,6 +21,59 @@ Some of the sections will include mentions of unofficial builds of packages like
Most Linux distributions have an option within its installer for enabling LUKS full disk encryption. If this option isnt set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [filesystem](https://en.wikipedia.org/wiki/File_system) creation. Most Linux distributions have an option within its installer for enabling LUKS full disk encryption. If this option isnt set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [filesystem](https://en.wikipedia.org/wiki/File_system) creation.
### TPM enrollment
If you have a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) chip in your computer, you can use it in addition with LUKS.
A full guide how to install is available in this [gist](https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95) or in [Arch's documentation](https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS).
Check if you have TPM available :
```
# systemd-cryptenroll --tpm2-device=list
```
You must have Secure Boot enabled, to check so :
```
# mokutil --sb-state
```
If it's set to "Disabled", you need to enable it in the UEFI firmware.
Check your encrypted volumes :
```
# blkid -t TYPE=crypto_LUKS
```
Then, you can finally enroll your encrypted volumes :
```
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/sdX
```
Replace sdX with the right volume.
If you have several volumes, you can redo the command with the right volume, etc.
Finally, edit `/etc/crypttab` and add at the end of each line `tpm2-device=auto,discard`, like so :
`luks-014aa5a6-a007-11ec-a054-7c10c93c41b1 UUID=0818cd36-a007-11ec-aaab-7c10c93c41b1 - tpm2-device=auto,discard`
Then, edit `/etc/default/grub` and add `rd.luks.options=tpm2-device=auto` in `GRUB_CMDLINE_LINUX`
You can optionally generate a recovery key :
```
# systemd-cryptenroll --recovery-key /dev/sdX
```
Check and reboot :
```
# systemd-cryptenroll /dev/sdX
SLOT TYPE
0 password
1 tpm2
2 recovery
```
Note that with secure boot enabled, you should manually sign your NVidia drivers with [akmod](https://github.com/larsks/akmod-sign-modules).
### Encrypted Swap ### Encrypted Swap
Consider using [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) or [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). While ZRAM can be set up post-installation, if you want to use encrypted swap, you should set it up while partitioning your drive. Consider using [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) or [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). While ZRAM can be set up post-installation, if you want to use encrypted swap, you should set it up while partitioning your drive.