Clevis

TPM-Based Full Disk Encryption without Manual Passphrase Entry

Prerequisites

## TPM (Trusted Platform Module) - Version 2.0
sudo dmesg | grep -i tpm

Install

sudo apt install clevis clevis-luks clevis-initramfs clevis-tpm2
## Read the current SHA-256 PCR values:
sudo tpm2_pcrread
  • Platform Configuration Registers:
    • PCR 0: Firmware / BIOS / UEFI Code (Platform Firmware State)
    • PCR 1: Firmware Configuration (BIOS/UEFI Settings)
    • PCR 2: Option ROMs / External Firmware (e.g., GPU, NIC)
    • PCR 3: Device Configuration (Hardware State)
    • PCR 4: Bootloader Code (e.g., GRUB, Shim)
    • PCR 5: Bootloader Configuration (e.g., grub.cfg)
    • PCR 6: Platform State / Miscellaneous
    • PCR 7: Secure Boot State (Enable/Disable, Keys)
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,7"}'
## Enter existing LUKS password:
sudo update-initramfs -u
## update-initramfs: Generating /boot/initrd.img-6.12.74+deb13+1-amd64

Confirmations

sudo clevis luks list -d /dev/nvme0n1p3
## 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,7"}'
lsinitramfs /boot/initrd.img-$(uname -r) | grep clevis
## scripts/local-bottom/clevis
## scripts/local-top/clevis
## usr/bin/clevis
## usr/bin/clevis-decrypt
## usr/bin/clevis-decrypt-null
## usr/bin/clevis-decrypt-sss
## usr/bin/clevis-decrypt-tang
## usr/bin/clevis-decrypt-tpm2
## usr/bin/clevis-luks-common-functions
## usr/bin/clevis-luks-list
## usr/bin/clevis-luks-unlock

Header Backup

sudo cryptsetup luksHeaderBackup /dev/nvme0n1p3 --header-backup-file header.img

Management

## Unlock a LUKS device using Clevis-bound credentials:
sudo clevis luks unlock -d /dev/nvme0n1p3
## Remove a Clevis binding from a LUKS device (Slot 1):
sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1

References

https://www.reddit.com/r/linux4noobs/comments/1cim9os/full_disk_encryption_without_entering_passphrase/

Acknowledgments

Daiphys is a professional services company in research and development of leading-edge technologies in science and engineering.
Get started accelerating your business through our deep expertise in R&D with AI, quantum computing, and space development; please get in touch with Daiphys today!

Name*


Email*


Subject


Message*




* Indicates required field

Daiphys Technologies LLC - https://www.daiphys.com/

  • Last modified: 2026/04/19 12:41
  • by Daiphys