Configure LUKS+TPM2 on Kinoite

enboig · September 19, 2025, 6:54pm

I am trying to install Kinoite using encryption on a laptop. This part works flawless.

I tried following Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk - Fedora Magazine and I understand it is the new “way” of it (old one Automatically decrypt your disk using TPM2 - Fedora Magazine); but it fails on sudo dracut -f.

The lapot is for a user, so having:

bios password protected
boot menu blocked
hard disk encrypted

Should be enough in my case. Any idea of what am I doing wrong?

And any advice on PCR options for my use-case is wellcome.

tqcharm · September 20, 2025, 10:24am

Regenerating initramfs on atomic desktops doesn’t work with the dracut command AFAIK. Instead rpm-ostree initramfs with specific arguments should be used, but you can try with the ligher rpm-ostree initramfs-etc --track <path-to-file> first, it might be enough. See the man page of rpm-ostree for details.

siosm · September 20, 2025, 11:22am

See Document fido2 setup for root disk · Issue #546 · fedora-silverblue/issue-tracker · GitHub for FIDO setup instructions.

enboig · September 21, 2025, 4:43pm

Thanks, I look at it

Topic		Replies	Views
Unlock LUKS with FIDO2 token Ask Fedora f36 , silverblue	1	1535	April 10, 2023
Unlock LUKS encrypted rootfs using TPM during boot Ask Fedora f35 , luks2 , silverblue	1	2042	March 21, 2022
Include fido2 and tpm2-tss into the initramfs by default Project Discussion engineering	1	738	June 19, 2023
FC30 can't login after kernel update to 5.3.6-200.fc30.x86_64 on crypted LVM Ask Fedora	4	541	October 20, 2019
How to unlock LUKS volume with Yubikey (FIDO2) Ask Fedora	1	3359	May 27, 2021

Configure LUKS+TPM2 on Kinoite

Related topics