Kernel version updates causes auto unlock to break. I've configured my Ubuntu 22.04 box to auto update weekly with unattended upgrades. On newer kernel updates e.g.:
│ Newer kernel available
│
│ The currently running kernel version is 5.15.0-118-generic which is not the expected kernel version 5.15.0-119-generic.
│
│ Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.
auto unlock does not work. The issue seems to be that kernel updates forces a reboot to apply updates, but cannot be finished without manually typing in the disk encryption password. Once rebooted, I have to resetup disk encryption by first running:
sudo clevis luks unbind -d <partition> -s <SLOT_NUMBER>
and then doing resetup of crypt setup by running:
clevis luks bind -d <partition> tpm2 { "pcr_bank":"sha256", "pcr_ids": "<pcr_ids>" }'
and update-initramfs -u -k 'all'
. It doesn't seem to matter if we generate a boot image with update-initramfs
before reboot or not. If I run clevis luks list -d <partition>
I can see that the output is correct. Searching for this issue did not result in any hits. Is there any configuration that I would be missing or any configuration I could add?
- On Ubuntu 22.04 setup disk encryption with auto unlock.
- Run
sudo apt update
andsudo apt upgrade
to trigger a kernal version update. - Reboot
- On boot disk encryption password is requested.
Packages installed:
clevis
clevis-luks
clevis-initramfs
clevis-systemd
clevis-tpm
The root cause here ended up being an update to
shim-signed
that required updating disk-encryption as it no solution worked withclevis
orsystemd-cryptenroll
. For future update I did turn off updates to this package until I am ready to update withsudo apt mark hold shim-signed
.