LUKS Encryption with TPM

Athena OS supports LUKS encryption for full-disk or root partition encryption with TPM 2.0.
Optionally, in Athena Arch, the encryption key can be automatically stored and managed by the TPM (Trusted Platform Module), providing secure key handling without requiring you to manually type a passphrase on every boot.

This integration is handled automatically by Aegis Installer, which can detect your TPM device and configure LUKS to unlock the encrypted partition using the TPM key at boot time.

By integrating LUKS with TPM, Athena OS ensures a high level of data protection while maintaining usability and system integrity.

How It Works

LUKS (Linux Unified Key Setup) provides strong disk encryption by securing your partitions with AES-based cryptography.

When combined with TPM, the decryption key is securely sealed within the TPM hardware and can be unsealed only under the same platform configuration (PCR values).

In practice:

The partition (usually /) is encrypted with LUKS.
A keyslot is added to LUKS that uses a TPM-stored key.
At boot, systemd-cryptsetup (or clevis) retrieves the key from the TPM to unlock the partition automatically.

This ensures that:

Your encryption key never leaves the TPM chip.
The system can auto-unlock without manual password entry (optional).
The disk remains unreadable if removed or the platform changes significantly.

Setup During Installation

During installation with Aegis, you can choose to:

Encrypt ROOT (LUKS) - a passphrase is requested.
Bind the key to TPM - if TPM is detected, Aegis will store the decryption key securely in the TPM and configure automatic unlocking.

Post-installation Management

You can manage TPM-bound LUKS keys using systemd-cryptenroll or clevis.
For example:

sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p3

This command will create a TPM2-bound keyslot for the encrypted partition /dev/nvme0n1p3. If the TPM is cleared or replaced, this keyslot becomes invalid, hence why backups or recovery passphrases are essential.

To verify TPM enrollment:

sudo systemd-cryptenroll --list /dev/nvme0n1p3

Platform Configuration Registers

PCRs (Platform Configuration Registers) are small memory registers inside the TPM that store cryptographic measurements of critical system components taken during boot. Each PCR represents a stage of the boot process, from firmware and bootloader to kernel and Secure Boot data. These measurements ensure that the TPM will only release the LUKS decryption key if the system’s boot components match the same trusted state recorded during enrollment.

PCR	Description	Extended by
PCR0	Core System Firmware executable code (aka Firmware). May change if you upgrade your UEFI.	Firmware
PCR1	Core System Firmware data (aka UEFI settings; configured boot order, for example)	Firmware
PCR2	Extended or pluggable executable code (aka OpROMs)	Firmware
PCR3	Extended or pluggable firmware data. Set during Boot Device Select UEFI boot phase.	Firmware
PCR4	Boot Manager Code and Boot Attempts. Measures the boot manager and the devices that the firmware tried to boot from.	Firmware
PCR5	Boot Manager Configuration and Data. Can measure configuration of boot loaders; includes the GPT Partition Table.	Firmware
PCR6	Resume from S4 and S5 Power State Events	Firmware
PCR7	Secure Boot State. Contains the full contents of PK/KEK/db, as well as the specific certificates used to validate each boot application	Firmware, shim (adds MokList, MokListX, and MokSBState)
PCR8	Hash of the kernel command line	GRUB
PCR9	Hash of the initramfs and EFI Load Options	Linux (measures the initramfs and EFI Load Options, essentially the kernel cmdline options)
PCR10	Reserved for Future Use
PCR11	Hash of the Unified kernel image	systemd-stub
PCR12	Overridden kernel command line, Credentials	systemd-stub
PCR13	System Extensions	systemd-stub
PCR14	shim’s MokList, MokListX, and MokSBState.	shim
PCR15	Hash of the LUKS volume key	systemd-cryptsetup
PCR16	Debug. May be used and reset at any time. May be absent from an official firmware release.
PCR23	Application Support. The OS can set and reset this PCR.

What happens when PCRs change?

Athena OS uses PCR7, PCR9, PCR11, PCR14 registries. During each boot, Athena OS measures firmware, bootloader, and kernel components into TPM registers (PCRs). If the current measurements match those taken when the LUKS key was enrolled, the TPM releases the key automatically. If they differ, for example, after firmware or kernel updates, or potential tampering on kernel, firmware or bootloader, the TPM refuses to unseal the key. In that case, you’ll be prompted to enter your LUKS passphrase manually. Once booted, you can safely re-enroll the TPM keyslot to reflect the new measurements.

Important Warnings for Dual Boot with Windows

If you are dual booting with Windows that uses BitLocker, be extremely careful.

BitLocker also stores its encryption keys in the same TPM chip.

Before performing any TPM operations from Linux:

Backup your BitLocker recovery key. You can find it in your Microsoft Account → https://account.microsoft.com/devices/recoverykey
Suspend BitLocker protection from Windows before manipulating TPM.
Terminal window
```
manage-bde -protectors -disable C:
```
After operations are done, re-enable protection:
Terminal window
```
manage-bde -protectors -enable C:
```

If you previously used BitLocker and reinstalled Athena on the same system, it is highly recommended to clear TPM only after backing up all Windows recovery keys.

Recovery Tips

If you lose TPM access or reinstall your firmware, your TPM keyslot will no longer unlock your LUKS partition automatically, and you will be asked to manually enter the LUKS passphrase. You can unlock it using your manual passphrase entered during Athena OS installation.

Once ologged on the system, you can re-enroll a new TPM keyslot by executing:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+9+11+14 /dev/nvme0n1p3

and entering the LUKS passphrase.