grub 2.04 is coming in all distros and finally Linux can use all SecureBoot+TPM2 features (in grub 2.04 PCRs 8 and 9 are filled and changed as soon as you enter menu).
I like to have my data encrypted always and everywhere, so I wrote yet-another pack of scripts to use TPM2 as a key-storage for Luks.
What can it do:
- verify PCR state before sealing key and abort if some PCRs are empty
- protect key with additional PIN (AES256), numeric or alpha-numeric
- ask for PINs and passwords using the curses windows (dialog)
- split secret key in chunks and protect them with different PCR policies (TPM 2.0 specification doesn't allow one policy to use more than 8 PCRs, so this sсript can split a key and use different PCR policies for each chunk)