kbdharun/tpm-luks-unlock-fedora-vm-proxmox.md

Created February 5, 2026 17:58

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/kbdharun/eae30ca25d313b89ea8f006cb0b016ac.js"></script>
Save kbdharun/eae30ca25d313b89ea8f006cb0b016ac to your computer and use it in GitHub Desktop.

Download ZIP

TPM-based automatic LUKS unlocking for a Fedora VM on Proxmox VE

Raw

tpm-luks-unlock-fedora-vm-proxmox.md

To set up TPM-based automatic LUKS unlocking for a Fedora VM on Proxmox VE, follow these steps:

Step 1: Proxmox Configuration

Shut down the VM.
Go to Hardware > Add > TPM State.
Select a storage location and ensure version is v2.0.
Note: The VM must be using UEFI (OVMF).

Step 2: Fedora Configuration

Boot the VM and run the following commands as root:

Install TPM package, if required:

sudo dnf install tpm2-tss

Bind LUKS to TPM: Identify your encrypted partition (usually /dev/sda3 or similar) using lsblk, then run:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/sdXN

(Replace /dev/sdXN with your actual partition; enter your current passphrase when prompted.)

Edit Crypttab:

Open /etc/crypttab and append tpm2-device=auto to your root disk options: luks-uuid... UUID=... none tpm2-device=auto

Rebuild Boot Image:

sudo dracut -f

Step 3: Verification

Reboot the VM.
The system should now bypass the manual passphrase prompt and proceed directly to the login screen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment