RHEL6 LUKS with TPM support

encryptionlukslvmrhel

I'm surprised that this question is not asked more frequently, but (in RHEL) does LUKS support TPM's the way that Windows BitLocker does? If so, how is this feature implemented, and does it provide the same type of protections that BitLocker for Windows provides?

BitLocker is very popular among businesses, and now that RHEL6 is getting FIPS certification for the disk encryption modules, it would be great if it also supported the same feature set.

However, I do understand that with the way LUKS works, not every volume can be encrypted, since the system would need to read the /etc/fstab and the /etc/crypttab files in order to mount the volumes. I believe this is OK as long as /home, /var, and other directories chosen by the administrator are encrypted.

I find it odd that "TPM" is not a tag on serverfault.

Best Answer

I've implemented support for storing your LUKS key in TPM NVRAM, and RHEL6 happens to be the one platform where all features are fully tested, see this post:

[1] https://security.stackexchange.com/a/24660/16522

Related Solutions

Linux: LUKS and multiple hard drives

You can use /lib/cryptsetup/scripts/decrypt_derived in your crypttab to automatically use the key from one disk for another.

The decrypt_derived script is part of Debian's cryptsetup package.

Small example to add the key from sda6crypt to sda5:

/lib/cryptsetup/scripts/decrypt_derived sda6crypt > /path/to/mykeyfile
cryptsetup luksAddKey /dev/sda5 /path/to/mykeyfile
ls -la /dev/disk/by-uuid/ | grep sda5
echo "sda5crypt UUID=<uuid> sda6crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived" >> /etc/crypttab
shred -u /path/to/mykeyfile # remove the keyfile

As it is nowadays very difficult to really delete a file, ensure that /path/to/mykeyfile is on a encrypted drive (sda6crypt would be in my example a good solution).

In general, you can add an additional security layer by using user space filesystem encryption e.g. via encfs.

Filesystem types for encrypted partitions

The “filesystem type” in a PC partition is actually a volume type, or more precisely a usage type: it's really supposed to indicate which operating system the partition belongs to (e.g. Windows vs Solaris vs FreeBSD), and what it's supposed to do with it (e.g. nested partition of some kind vs filesystem vs swap). In practice, different OS vendors have made different choices and it's a bit of a mess.

For example, 83 is not “ext[234]” but “filesystem for Linux”. For anything using the dm layer, the convention is fd (“Linux raid”). This covers not only RAID but also dmcrypt, regardless of what filesystem or nested container (e.g. LVM) is on the encrypted volume.

But this is just a convention — Linux itself doesn't care about the type field except to mark unused partitions and extended partitions.

Best Answer

Related Solutions

Linux: LUKS and multiple hard drives

Filesystem types for encrypted partitions

Related Question