YaST2 support for Full Disk Encryption with TPM2

Intro

The openSUSE MicroOS installer (YaST2) supports since snapshot 20250809 Full Disk Encryption (FDE) secured by a TPM2 chip and measured boot or a FIDO2 key.

Since quite some time the openSUSE project provides already images with Full Disk Encryption and TPM2 (e.g. openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2 or openSUSE-MicroOS.x86_64-kvm-and-xen-grub-bls.qcow2 for virtualized environments and there is a bog describing how to setup such a system with YaST2.

Now the next step is done: YaST2 supports setting up FDE+TPM2 for openSUSE MicroOS, so this feature can be enabled in an easy way during installation.

This requires a bootloader following the Boot Loader Specification (BLS). Available are grub2-bls and systemd-boot. For openSUSE MicroOS we decided to make systemd-boot the default bootloader.

Hardware Requirement:

• UEFI Firmware
• TPM2 Chip or FIDO2 key which supports the hmac-secret extension
• 4GB Memory

Installation of openSUSE MicroOS

Boot installation media

• Follow the workflow until “Installation Settings”
• Installation Settings:
  • Partitioning:
  • Select “Guided Setup”, keep the defaults until the “Partitioning Scheme” screen.
  • “Enable Disk Encryption” and enter the password. The password will be the recovery key.
  • Accept changes
• Finish Installation

Finish FDE Setup

Boot the new system

Re-enrollment

If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2.

With the recovery PIN (the password for FDE):

  # sdbootutil --ask-pin update-predictions

Next Steps

The next step will be to make FDE+TPM2 the default for MicroOS.

Further Documentation

• MicroOS FDE
• Quickstart in Full Disk Encryption with TPM and YaST2
• Systemd-boot and Full Disk Encryption with TPM and FIDO2