Automaticly unlock LVM Encryption with TPM2

ubuntu-luks-clevis-tpm2-guide.md

Clevis + TPM2: Automatic LUKS Unlock Guide

For Ubuntu with Full Disk Encryption (LUKS+LVM)

1. Prerequisites

• Ubuntu installed with LUKS encryption (passphrase-protected).
• TPM 2.0 enabled in BIOS/UEFI.
• Root/sudo access.

Verify TPM2 is available:

sudo tpm2_getcap properties-fixed | grep "TPM2_PT_MANUFACTURER"

2. Installation

Install required packages:

sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'

• Replace /dev/nvme0n1p3 with your LUKS partition (find it via lsblk -f).
• Enter your existing LUKS passphrase when prompted.

Verify Binding

sudo clevis luks list -d /dev/nvme0n1p3

(Should show a tpm2 binding.)

4. Update Initramfs

Rebuild initramfs to include Clevis:

sudo update-initramfs -u -k all

Verify Clevis is included:

lsinitramfs /boot/initrd.img-$(uname -r) | grep -i clevis

(Should show clevis-decrypt-tpm2 and related files.)

5. Reboot and Test

sudo reboot

Give a breif wait during the unlock LUKS screen, it should be automatically unlocked.

---

6. when the decryption failed

you can alwasy enter the system with manually inputting the key. when the clevis failed (usually after a ubuntu firmware update). unbind the clevis and bind again.

unbind with

sudo clevis luks unbind -d /dev/nvme0n1p3 -f -s 1

and re-do the steps above again

Using this line to check tpm2 status is more graceful

sudo clevis luks unlock -d /dev/nvme0n1p3

If it shows TMP error like these

WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000099d) 
ERROR: Esys_Unseal(0x99D) - tpm:session(1):a policy check failed
ERROR: Unable to run tpm2_unseal
Unsealing jwk from TPM failed!
/dev/nvme0n1p3 could not be opened.

It is very likely a TMP failure caused by a system update. An unbind, then rebind will fix this issue.