How to determine if TPM is used and how to change LUKS password

New member, loving EndeavourOS a lot !

I installed EndeavourOS Gemini 2024.04.20 about half a year ago and I can’t for the life of me remember if there was a mention that the TPM function was used for the root encryption. What I can find online is that it’s possible.

Now I get a prompt every time I start the system because I changed the CPU recently and had fTPM enabled. The UEFI wants to reset the fTPM and if I do use it, I will be having issues booting. In the past it was used for a Windows 10 install with BitLocker, but it has since been wiped of the boot drive.

The second question I have is how to change the LUKS password. I chose a very long password (>24 chars) which I regularly mistype, after two tries it forces you to shell to reboot.

Welcome to the forums @HappyDukey :wave: :sunglasses: :enos_flag:

First, make sure you’re dealing with the correct volume. Run this to list your LUKS volumes:

lsblk --fs | grep LUKS

The output will vary depending on your setup, but mine looked something like this (omitting the UUID’s):

├─nvme0n1p2 crypto_LUKS 1
└─nvme0n1p3 crypto_LUKS 1

The first of those is my system drive, the 2nd is a SWAP. The number 1 at the end is in reference to the version of LUKS.

Using my system drive (nvme0n1p2) as example, so adjust this to match your drive:

To change an existing LUKS passphrase…

sudo cryptsetup luksChangeKey /dev/nvme0n1p2

To add an additional LUKS passphrase (up to 7 passphrase slots available with LUKS v1)…

sudo cryptsetup luksAddKey /dev/nvme0n1p2

With the latter, to verify the new passphrase has been added, you can see what Key Slot’s have been ENABLED:

sudo cryptsetup luksDump /dev/nvme0n1p2
1 Like

Oh wow, thanks for the very detailed and useful info !

lsblk gave this output:
└─nvme0n1p2 crypto_LUKS 2

I’ve read LUKS v2 could make stuff more complicated. I was not aware that there are multiple passphrase slots, this would probably enable me to use Yubikeys as well as a “shortcut” to a long passphrase ?

LUKS2 is not fully supported by Grub, so I have avoided using it for my system drive. But I use it on my secondary and external drives.

If LUKS2 is already set up and your system is booting without issue, I suspect you’ll be ok?

Hopefully someone else can assist with your TPM question. I have no experience there so I’d rather leave that alone, although if you haven’t already, the Wiki has a number of articles that touch on it.

1 Like

Thanks, reading this Topic taught me some things about TPM. You gotta love this forum. Here is the best reference I found.

https://wiki.archlinux.org/title/Trusted_Platform_Module

Pudge

1 Like

Thanks for the suggestion @Pudge , I also encountered that page while looking. It doesn’t specifically mention a way to figure out if I was using it, some discussion about it makes me think it wasn’t. I have to use a password each boot and also, it was already in use with my previous Windows install. I’m not sure it would have been possible without clearing the TPM first.

In the directory /sys/class/tpm nothing’s there either.