Use the following script to automatically prepare your system to decrypt your LUKS partition using your TPM2.
curl -O -J https://raw.githubusercontent.com/cpuschma/fedora-luks-tpm/refs/heads/master/tpm.sh
chmod u+x ./tpm.sh
sudo ./tpm.shYou may edit any configuration, like the used PCRs or PIN requirement in the main function.
Screencast.From.2025-06-05.13-58-52.mp4
- Fedora 42
- Bash
- systemd-cryptenroll (should be installed by default on Fedora)
- A TPM2 module
- One or more LUKS partitions
- Your current LUKS password
If the chip refuses to decrypt — for example, if a PCR register has changed, such as Secure Boot, or if the chip is broken — then a password prompt is offered as a fallback option, or a key file is requested (depending on your setup).
Caution
Keep your password or your keyfile save, even if the TPM is set up, just as you should keep the BitLocker recovery key in Microsoft Windows.
- If not otherwise defined, find a suitable LUKS partition and TPM device
- (If one already exists) Make a backup of your /etc/crypttab
- Configure your /etc/crypttab to use the TPM device
- Update your grub configuration to use the TPM device and enable TPM measurement
- Regenerate your initramfs using dracut
- (optionally) Remove any already enrolled TPM2 devices
- Enroll your TPM2