Hi I'm trying to encrypt a secondary data disk. I want this disk to be decrypted during boot of my machine. I currently have RAID setup, with an LVM volume on top which is already encrypted with LUKS.
I have executed a command like this: sudo clevis luks bind -d /dev/RaidVG/LVMVol tpm2 '{"pcr_ids":"15", "pcr_bank":"sha256"}'
Now as I understand it, I'm binding adding a keyslot to my LUKS header that is bound to my TPM2.0 module on PCR bank 15. Now that seems to work, what I don't understand though is what happens when I execute 'tpm2_pcrread'. It says that my pcr 'value' is still 0:
$ sudo tpm2_pcrread
sha1:
sha256:
0 : 0xREDACTED
1 : 0xREDACTED
2 : 0xREDACTED
3 : 0xREDACTED
4 : 0xREDACTED
5 : 0xREDACTED
6 : 0xREDACTED
7 : 0xREDACTED
8 : 0x0000000000000000000000000000000000000000000000000000000000000000
9 : 0x0000000000000000000000000000000000000000000000000000000000000000
10: 0x0000000000000000000000000000000000000000000000000000000000000000
11: 0x0000000000000000000000000000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000000000000000000000000000
14: 0x0000000000000000000000000000000000000000000000000000000000000000
15: 0x0000000000000000000000000000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000000000000000000000000000
sha384:
sha512:
What exactly do these PCR values mean? I cannot find an answer to this online. Shouldn't these values change after I do anything with my PCR bank?
One other perculiar thing is that when I encrypt a simple hello world file following this tutorial (https://www.fit-pc.com/wiki/index.php?title=Linux:_Full_Disk_Encryption), I get the exact same encrypted output "eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI". Now, they don't display the entire output that they get, just the first line. Is this because I have some default keys set up? Or is this some kind of common header? My TPM module is virtualized so that may also be an issue.
I hope someone could explain a bit more about how this actually works and how to securely set my encryption scheme up.