Disk encryption with Clevis example

disk-encryption.sh

  GNU nano 4.3                                             disk-encryption.sh                                                       
#!/bin/bash

set -euxo pipefail

rpm -qa clevis* cryptsetup* luks* tpm2* e*fspr* | sort

# Creation

# dd if=/dev/zero of=/dev/sda1 bs=1M status=progress
openssl rand -hex 8 > key
cryptsetup -q luksFormat /dev/sda1 key
clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"0,1"}'
cryptsetup luksRemoveKey /dev/sda1 key
cryptsetup luksOpen /dev/sda1 c1 --key-file key || echo "Key Removed Succesfully"
clevis luks unlock -d /dev/sda1 -n c1
# dd if=/dev/zero of=/dev/mapper/c1 bs=1M status=progress
mkfs.ext4 /dev/mapper/c1
sleep 1

# Mount

mkdir -p /tmp/disk-encryption-mount
mount /dev/mapper/c1 /tmp/disk-encryption-mount

# Sanitization

umount /tmp/disk-encryption-mount
cryptsetup luksClose c1
clevis luks unbind -d /dev/sda1 -s 1 -f
tpm2_clear