Expanding on the Cryptenroll procedure

[PeterQFR]

I'm having an issue after enrolling a tpm2 key based on pcrs 0, 7 in that it still asks for a password on boot. This is a Ubuntu-server 22.04.2 minimised.

I followed (this archlinux doc)[https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS] to enroll the key, after running the ./install.sh

#systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3  #this is my encrypted partition.

Am I missing a step? In a previous attempt to get this working I was following an archlinux guide and there were additional kernel command line arguments. Also when I look at the crypttab theres no tpm2=auto flag... not sure if there should be? e.g.:

$cat /etc/crypttab
dm_crypt-0 UUID=24f337b3-1b1f-419f-b67c-b161738dab81 none luks

[wmcelderry]

cryptenroll looks right. yep, need tpm2=auto in crypttab

[wmcelderry]

just realised it was tpm2-device=auto IIRC.

[PeterQFR]

@wmcelderry That alone won't work you also have to update the initramfs for the values in the crypttab to be recognised. e.g. crypttab:

sda3_crypt UUID=7206ce9c-4968-4da2-b205-f10f0c11fbd5 none tpm2-device=auto,luks,discard

then update the initramfs:

sudo update-initramfs -u -k $(uname -r)