Automatic LUKS decryption with Clevis and TPM2

I'm trying to setup seamless LUKS decryption with Clevis and TPM2, but it doesn't work - I'm still being asked for password on boot.
Here is what I was doing:

[olga@olga-notebook ~]$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1                                       259:0    0 931.5G  0 disk  
├─nvme0n1p1                                   259:1    0    16M  0 part  
└─nvme0n1p2                                   259:2    0 931.5G  0 part  
  └─luks-a16f5e32-aed7-4241-834b-1f978d81cb48 254:2    0 931.5G  0 crypt 
nvme1n1                                       259:3    0   477G  0 disk  
├─nvme1n1p1                                   259:4    0   150M  0 part  
├─nvme1n1p2                                   259:5    0   128M  0 part  
├─nvme1n1p3                                   259:6    0 117.2G  0 part  
├─nvme1n1p4                                   259:7    0   990M  0 part  
├─nvme1n1p5                                   259:8    0  12.6G  0 part  
├─nvme1n1p6                                   259:9    0   1.5G  0 part  
├─nvme1n1p7                                   259:10   0   512M  0 part  /boot/efi
├─nvme1n1p8                                   259:11   0 243.9G  0 part  
│ └─luks-cbe24715-81da-4636-b731-e0d406394a24 254:1    0 243.9G  0 crypt /home
└─nvme1n1p9                                   259:12   0   100G  0 part  
  └─luks-2f4854ba-d982-4071-868d-f89889c0bf08 254:0    0   100G  0 crypt /
sudo pamac install clevis
sudo dracut -f
sudo clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'
sudo clevis luks bind -d /dev/nvme1n1p9 tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'
sudo clevis luks bind -d /dev/nvme1n1p8 tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

There was no errors displayed, but sudo cryptsetup luksDump /dev/nvme0n1p2 doesn't show "Tokens: 0: clevis" as this article suggests. However, a new key slot has indeed appeared.
The person here writes that they "only got the automatic decryption to work on the full /dev/sd* volume, not any logical volumes. " I wonder if that is true. I have dual boot so full disk encryption is not an option.

Has anyone been able to setup this?

It is way too much hassle to input password (actually, twice - for two disks) every time I boot, but I don't want to disable encryption either.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by