A brief guide to set up TPM based luks partition unlocing at boot-time.
The TPM must be enabled in the BIOS
sudo apt install \
clevis \
clevis-luks \
clevis-systemd \
clevis-tpm2 \
tpm2-tools \
clevis-initramfs
sudo tpm2_pcrread
Output should show data in SHA1 and SHA256 slots
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968518#10
sudo update-initramfs -u -k 'all'
- Replace
/dev/nvme0n1p3
with the proper device. - replace
"pcr_bank":"sha256","pcr_ids":"0,1"
as needed (it's likely fine...)sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1"}'
Reboot system; at the LUKS passphrase prompt, don't enter anything. Just wait 5 to 10 seconds. The Clevis software should use the TPM to unlock the partition. If it fails, pres the "esc" key to see what's going on. You can always use the passphrase to unlock the disk.