Configure TPM2 to automatically unlock LUKS encrypted drive during boot on Ubuntu Server

gistfile1.txt

This is a step by step document to help you setup unlocking LUKS partition with Clevis. However, Arch Linux Wiki details the built in support for unlocking LUCS without requiring Clevis but the steps are not entirely cleaar.

Step 1: Install Clevis packages and refresh the TPM permissions

```
$ sudo -i
# apt install clevis clevis-tpm2 clevis-luks clevis-udisks2 clevis-systemd clevis-initramfs -y
# udevadm trigger
```

<b> Step 2: Find which banks are avilable in the TPM </b>

```
tpm2_pcrread
```
The output of the above lists different hash algorithms. if there no numbers next to the hash then it's unusable. SHA256 is a good hash algorithm and should support most cases. 

To find out the encrypted drive path, try the following command on different partitions you have
cryptsetup luksDump /dev/sda1

<b> Step 3: Add a key to LUKS partition from Clevis, tied to the TPM </b>

```
# clevis luks bind -d /dev/sda3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,7"}'
```
You can use any PCRs you like, but the recommendation would be to use a number at least 7. <b> Also make sure to update the partition to your specific drive, this should be the root partition of your Ubuntu install.</b> You can store the keys for all other partitions in this partition so all other partitions also unlock. Only the root requires the TPM auto-unlock

<b> Step 4: Update the Initramfs </b>

```
# update-initramfs -u -k 'all'
```

You should add at least pcr_ids 8 to avoid kernel command line modification... Without an attack by modification of the command line by the grub (by adding single or init=/bin/sh), will give you your disk unencrypted to an attacker...