Encryption role for luks encrypted drives including TPM2 support

2025-12-15 12:12:05 +01:00 · 2025-12-15 12:12:05 +01:00 · e45275181f
commit e45275181f
parent b807d2142e
5 changed files with 96 additions and 0 deletions
--- a/roles/lmn_encrypt/tasks/tpm2.yml
+++ b/roles/lmn_encrypt/tasks/tpm2.yml
@ -0,0 +1,42 @@
+---
+- name: Install tpm2-tools and dracut
+  ansible.builtin.apt:
+    name:
+      - tpm2-tools
+      - dracut
+
+- name: Enable tpm2-tss crypt module on dracut
+  ansible.builtin.copy:
+    dest: /etc/dracut.conf.d/crypt.conf
+    content: add_dracutmodules+=" tpm2-tss crypt "
+    mode: '0644'
+  notify: Run update-dracut
+
+- name: Comment out root device in crypttab
+  ansible.builtin.lineinfile:
+    dest: /etc/crypttab
+    regexp: '^([^#].*)'
+    line: '#\1'
+    backrefs: true
+
+- name: Insert luks support to GRUB_CMDLINE_LINUX
+  ansible.builtin.lineinfile:
+    dest: /etc/default/grub
+    regexp: '^(GRUB_CMDLINE_LINUX=).*'
+    line: '\1"rd.auto rd.luks=1"'
+    backrefs: true
+  notify: Run update-grub
+
+- name: Insert TPM2 to Luks slot
+  ansible.builtin.command:
+    cmd: >
+      systemd-run -P --wait
+      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
+      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
+  no_log: true
+  when: "'tpm2' not in encrypt_slots_result.stdout"
+
+# - name: Update TPM2 Luks slot
+#   ansible.builtin.command:
+#     cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
+#   when: not grub_config.changed