Ubuntu20.04自动安装程序UEFI全磁盘加密
Ubuntu20.04自动安装程序UEFI全磁盘加密
提问于 2021-03-30 13:03:48
我编写了这个用户数据来在UEFI服务器上安装Ubuntu20.04。
#cloud-config
autoinstall:
update: yes
early-commands:
- systemctl stop ssh
apt:
geoip: true
preserve_sources_list: false
primary:
- arches: [amd64, i386]
uri: http://fr.archive.ubuntu.com/ubuntu
- arches: [default]
uri: http://ports.ubuntu.com/ubuntu-ports
packages:
- modemmanager
- network-manager
- socat
identity: {hostname: edgegateway, password: verysecure,
realname: Cyril, username: cyril}
keyboard: {layout: fr, toggle: null, variant: ''}
locale: en_US
network:
ethernets:
eth0: { dhcp4: true, dhcp-identifier: mac, optional: true }
eth1: { dhcp4: true, dhcp-identifier: mac, optional: true }
version: 2
ssh:
allow-pw: true
authorized-keys: ['ssh-rsa ....']
install-server: true
storage:
config:
- {ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '',
grub_device: false, type: disk, id: disk-sda}
- {device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1,
preserve: false, grub_device: true, type: partition, id: partition-0}
- {fstype: fat32, volume: partition-0, preserve: false, type: format, id: format-0}
- {device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2,
preserve: false, type: partition, id: partition-1}
- {fstype: ext4, volume: partition-1, preserve: false, type: format, id: format-1}
- {device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3,
preserve: false, type: partition, id: partition-2}
- {volume: partition-2, key: 'verysecure', preserve: false, type: dm_crypt,
id: dm_crypt-0}
- name: ubuntu-vg
devices: [dm_crypt-0]
preserve: false
type: lvm_volgroup
id: lvm_volgroup-0
- {name: swap, volgroup: lvm_volgroup-0, size: 8G, preserve: false, type: lvm_partition,
id: lvm_partition-0}
- {fstype: swap, volume: lvm_partition-0, preserve: false, type: format, id: format-4}
- {name: ubuntu-lv, volgroup: lvm_volgroup-0, size: -1, preserve: false,
type: lvm_partition, id: lvm_partition-1}
- {fstype: ext4, volume: lvm_partition-1, preserve: false, type: format, id: format-3}
- {device: format-3, path: /, type: mount, id: mount-3}
- {device: format-4, path: '', type: mount, id: mount-4}
- {device: format-1, path: /boot, type: mount, id: mount-1}
- {device: format-0, path: /boot/efi, type: mount, id: mount-0}
swap: {swap: 0}
version: 1在第一次引导时,我运行一个在TPM中设置密码的脚本:
apt update
apt dist-upgrade -y
apt install -y clevis-luks clevis-tpm2 luksmeta tpm-udev tpm2-tools
password="verysecure"
clevis luks bind -f -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' <<< $(echo $password)
echo $password |clevis encrypt tpm2 '{"pcr_ids":"8,9"}'
apt install -y clevis-initramfs一切正常,但还不够安全。
- 如何加密/boot?我想我只需要删除
{device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, type: partition, id: partition-0}和{device: format-1, path: /boot, type: mount, id: mount-1} - 如何对付格鲁?它能从TPM中检索密码吗?
- 我需要一个来自TPM的密码给Grub,另一个给Luks?
预先感谢您的答案/代码片段
回答 1
Ask Ubuntu用户
发布于 2021-08-11 20:07:10
只需遵循"LUKS磁盘加密方案,密码短语存储在TPM2作为保护器。“在以下网址中:https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1328189
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号