Skip to content

Instantly share code, notes, and snippets.

@BolunHan

BolunHan/ubuntu-luks-clevis-tpm2-guide.md

Last active June 25, 2025 16:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save BolunHan/6a803c8c2bcb377681d87e5c1ca63be1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save BolunHan/6a803c8c2bcb377681d87e5c1ca63be1 to your computer and use it in GitHub Desktop.
Download ZIP
Automaticly unlock LVM Encryption with TPM2
Raw
ubuntu-luks-clevis-tpm2-guide.md

Clevis + TPM2: Automatic LUKS Unlock Guide

For Ubuntu with Full Disk Encryption (LUKS+LVM)

  1. Prerequisites
  • Ubuntu installed with LUKS encryption (passphrase-protected).
  • TPM 2.0 enabled in BIOS/UEFI.
  • Root/sudo access.

Verify TPM2 is available:

sudo tpm2_getcap properties-fixed | grep "TPM2_PT_MANUFACTURER"
  1. Installation

Install required packages:

sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'
  • Replace /dev/nvme0n1p3 with your LUKS partition (find it via lsblk -f).
  • Enter your existing LUKS passphrase when prompted.

Verify Binding

sudo clevis luks list -d /dev/nvme0n1p3

(Should show a tpm2 binding.)

  1. Update Initramfs

Rebuild initramfs to include Clevis:

sudo update-initramfs -u -k all

Verify Clevis is included:

lsinitramfs /boot/initrd.img-$(uname -r) | grep -i clevis

(Should show clevis-decrypt-tpm2 and related files.)

  1. Reboot and Test
sudo reboot

Give a breif wait during the unlock LUKS screen, it should be automatically unlocked.

  1. when the decryption failed

you can alwasy enter the system with manually inputting the key. when the clevis failed (usually after a ubuntu firmware update). unbind the clevis and bind again.

unbind with

sudo clevis luks unbind -d /dev/nvme0n1p3 -f -s 1

and re-do the steps above again

@BolunHan
Copy link
Author

BolunHan commented Jun 12, 2025

also the requirements should be installed with sudo apt install clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools

@BolunHan
Copy link
Author

BolunHan commented Jun 25, 2025

Using this line to check tpm2 status is more graceful

sudo clevis luks unlock -d /dev/nvme0n1p3

If it shows TMP error like these

WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000099d) 
ERROR: Esys_Unseal(0x99D) - tpm:session(1):a policy check failed
ERROR: Unable to run tpm2_unseal
Unsealing jwk from TPM failed!
/dev/nvme0n1p3 could not be opened.

It is very likely a TMP failure caused by a system update. An unbind, then rebind will fix this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment