Skip to content

Instantly share code, notes, and snippets.

@BolunHan

BolunHan/ubuntu-luks-clevis-tpm2-guide.md

Last active June 12, 2025 02:40
Show Gist options
  • Save BolunHan/6a803c8c2bcb377681d87e5c1ca63be1 to your computer and use it in GitHub Desktop.
Save BolunHan/6a803c8c2bcb377681d87e5c1ca63be1 to your computer and use it in GitHub Desktop.
Download ZIP
Automaticly unlock LVM Encryption with TPM2
Raw
ubuntu-luks-clevis-tpm2-guide.md

Clevis + TPM2: Automatic LUKS Unlock Guide

For Ubuntu with Full Disk Encryption (LUKS+LVM)

  1. Prerequisites
  • Ubuntu installed with LUKS encryption (passphrase-protected).
  • TPM 2.0 enabled in BIOS/UEFI.
  • Root/sudo access.

Verify TPM2 is available:

sudo tpm2_getcap properties-fixed | grep "TPM2_PT_MANUFACTURER"
  1. Installation

Install required packages:

sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'
  • Replace /dev/nvme0n1p3 with your LUKS partition (find it via lsblk -f).
  • Enter your existing LUKS passphrase when prompted.

Verify Binding

sudo clevis luks list -d /dev/nvme0n1p3

(Should show a tpm2 binding.)

  1. Update Initramfs

Rebuild initramfs to include Clevis:

sudo update-initramfs -u -k all

Verify Clevis is included:

lsinitramfs /boot/initrd.img-$(uname -r) | grep -i clevis

(Should show clevis-decrypt-tpm2 and related files.)

  1. Reboot and Test
sudo reboot

Give a breif wait during the unlock LUKS screen, it should be automatically unlocked.

  1. when the decryption failed

you can alwasy enter the system with manually inputting the key. when the clevis failed (usually after a ubuntu firmware update). unbind the clevis and bind again.

unbind with

sudo clevis luks unbind -d /dev/nvme0n1p3 -f -s 1

and re-do the steps above again

@BolunHan
Copy link
Author

also the requirements should be installed with sudo apt install clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment