Hi Community,
i’m facing a new problem. Im using a LUKS2 Encrypted disk, automatically decrypted with TPM2 at boot. I’ve had installed a recovery key with systemd-cryptenroll /path/to/LUKS2 --recovery-key
Today, i figured out, that i have installed two recovery keys, so I decide to remove one key by issuing systemd-cryptenroll ... --wipe-slot recovery
command. I though, it would prompt me for a choice, e.g. by entering the remaining key. But in fact, this command deletes all recovery keys without confirmation, so LUKS2 is now only protected by the TPM2 and I’m unable to insert any other Key again.
Is there any chance to insert another Passphrase or recovery key using the remaining TPM2 Module?
Edit: it looks like the Data in the Luks header are still present, so all i have to do is to reinsert the information gathered with luksDump, i think…