Raw Record Source

{
  "$type": "site.standard.document",
  "content": {
    "$type": "pub.lemma.blog.entry",
    "content": "# Save time when booting an encrypted drive in Linux\r\n\r\n![Alt text](https://cdn.bsky.app/img/feed_fullsize/plain/did:plc:5g2hkj2od4zr3tlpb2su364e/bafkreieni2kugjtqcsv3acpga35fbfy2rhvvdsmvpmop3rxx6agqfzytqa@jpeg \"Title\")\r\n\r\n#### Problem\r\nYou should have your drives encrypted but you don't want to type your encryption passphrase every time you boot. \r\n\r\n#### Solution\r\nTo achieve this, you can enroll your computer's [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) hardware security device into the [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) encrypted volume which can be used to unlock the volume during boot with [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk). When you're done and reboot you'll momentarily see a prompt for your LUKS passphrase but ignore it and after a couple of seconds it will automatically unlock the encrypted drive.\r\n\r\n#### Let's go!\r\nThe process described here was tested on a machine with [Secure Boot](https://wiki.debian.org/SecureBoot) enabled and an encrypted drive with Kubuntu 26.04 LTS.\r\n\r\nAny PC from around 2016 or later should have a TPM but you can check by installing the utility that queries the TPM for its properties.\r\n```sh\r\nsudo apt install tpm2-tools\r\n```\r\n\r\nYou can list the fixed properties of the TPM\r\n```sh\r\nsudo tpm2_getcap properties-fixed\r\n```\r\n#### Important\r\nList your block devices' filesystem info and find the one where `FSTYPE` is `crypto_LUKS`  e.g. `nvme1n1p3`. **Replace with your own on all commands**.\r\n```sh\r\nlsblk -f\r\n```\r\n```sh\r\nls -alh /dev/nvme1n1p3\r\n```\r\n\r\n## Ubuntu\r\nWe'll use [Clevis](https://ubuntu.com/server/docs/how-to/security/tpm-backed-luks-decryption-with-clevis/) to enroll the TPM.\r\n```sh\r\nsudo apt install clevis clevis-initramfs clevis-tpm2\r\n```\r\nCreate the enrollment. You'll get a Secure Boot–tied TPM2 unlock as SHA‑256 [PCR7](https://en.wikipedia.org/wiki/Trusted_Platform_Module#:~:text=the%20Unified%20Extensible,vCage%20memory%20encryption) is valid and measured by Secure Boot:\r\n```sh\r\nsudo clevis luks bind -d /dev/nvme1n1p3 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"7\"}'\r\n```\r\nYou'll be asked to enter your passphrase.  \r\nVerify the token was added to the key slot. You'll probably see a slot for your passphrase, a slot for your TPM key, and a token for that slot.\r\n```sh\r\nsudo cryptsetup luksDump /dev/nvme1n1p3\r\n```\r\n```\r\nKeyslots:\r\n  1: luks2\r\nTokens:\r\n  0: clevis\r\n\tKeyslot:    1\r\n```\r\nUpdate the initramfs of the kernel so the TPM logic is included in the early boot environment\r\n```sh\r\nsudo update-initramfs -u\r\n```\r\nReboot.\r\n\r\n## Fedora, Arch\r\nDistros like Arch and Fedora use [systemd](https://systemd.io/)’s own initramfs so you can follow these steps:\r\nEnroll the TPM2 security chip\r\n```sh\r\nsudo systemd-cryptenroll --tpm2-device=auto /dev/nvme1n1p3\r\n```\r\nYou'll be asked to enter your passphrase and you should see something like\r\n```\r\nNew TPM2 token enrolled as key slot 1\r\n```\r\nVerify the token was added to the key slot\r\n```sh\r\nsudo cryptsetup luksDump /dev/nvme1n1p3\r\n```\r\n```\r\nTokens:\r\n  0: systemd-tpm2\r\n\tKeyslot:    1  \r\n```\r\nIn order to unlock a LUKS2 volume with an enrolled TPM2 security chip, specify the `tpm2-device=` option in the respective `/etc/crypttab` line\r\n\r\n```sh\r\nsudo nano /etc/crypttab\r\n```\r\n```\r\ncryptroot UUID=XXXX    none    luks,tpm2-device=auto\r\n```\r\nUpdate the initramfs of the kernel so the TPM logic is included in the early boot environment\r\n```sh\r\nsudo update-initramfs -u\r\n```\r\nReboot.\r\n\r\n#### Note:\r\nUnlike other distros, Ubuntu’s `initramfs-tools` does not support the `tpm2-device=` option in `/etc/crypttab`, even though systemd itself does. The initramfs tools shipped in Ubuntu/Kubuntu simply ignore this option. That's why it uses Clevis for the enrollment."
  },
  "path": "/3mkouy7mhb22o",
  "publishedAt": "2026-04-30T05:28:35.020Z",
  "site": "at://did:plc:5g2hkj2od4zr3tlpb2su364e/site.standard.publication/3mmhg6ulmlszy",
  "title": "Save time when booting an encrypted drive in Linux",
  "updatedAt": "2026-04-30T15:38:56.801Z"
}