sam.hadow/website-hadow.fr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

guide update

Browse Source
This commit is contained in:
Sam Hadow
2026-02-16 10:53:49 +01:00
parent f594df345a
commit cab90ada0d
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
View File

@@ -241,7 +241,16 @@ sbctl create-keys
sbctl enroll-keys -m sbctl enroll-keys -m
``` ```
If you also want to enroll hardware security keys, use [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll) ##### linking TPM and LUKS key
Without this step, the computer is still vulnerable to evild maid attacks and a software keylogger could be installed by disabling the secure boot (clear CMOS for example). To make sure the encrypted device is linked to the TPM, we need to run the following command:
```bash
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/vda2
```
[systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll) also support hardware security keys like FIDO2 tokens, in this case you can refer to the archwiki for the command syntax.
systemd-boot is also the recommended option instead of using grub when linking the TPM and LUKS key, you can then only have a PIN and also be protected in more scenarios.
#### 2.2.5) opional packages #### 2.2.5) opional packages