Full disk encryption using clevis tpm-tools2 with LUKS question
 

Hello,

This is my first post in the hope I can get an answer for something I cannot find and answer to anywhere.

I would like to clone a virtual/physical machine which uses full disk encryption and have it boot without requiring any configuration changes. Using the tpm2 tools I need to populate the TPM with the same private/public (SRK)key as the source machine. Is it possible to export the private/public keys used by Clevis and import this this into different TPM allowing the O/S to decrypt the volume?

Example;

1) Setup a VM installed with Redhat 8.4 using full disk encryption and sealed to the TPM (PMK) using clevis (VM1).

2) Create a new VM with new TPM not a cloned virtual machine this might be virtual or physical hardware

3) Using the tpm2 command line tools to migrate the TPM SRK(root storage key) public key from VM1 to VM2 so it automatically mounts and decrypt with the need for passphrase or manual intervention.

4) Successfully boot the machine without the need to use a passphrase or any configuration changes.

Thanks in advance for any help on this.