Hi everyone i’ve been trying for a few days to figure out how to unlock my LUKS2-encrypted root partition using TPM 2.0.
I read that I need to use systemd-cryptenroll, specifically with this command:
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/disk
But beyond that, I haven’t found much helpful information. Most guides mention mkinitcpio, which Fedora hasn’t used for years.
Can someone help me?
Thanks in advance 
May I ask why you would need it in the first place ? What might be the use case of this in your situation ?
P.S.: there is an 2023 article of Fedora Magazine on this topic - Automatically decrypt your disk using TPM2 - Fedora Magazine
I need to encrypt my disk because I’m often on the move with my laptop, and I want to prevent a potential thief from simply connecting the drive to another PC and accessing everything. The problem is, having to enter the password at every boot is kind of annoying especially since my password isn’t exactly short. And if I mistype it, I have to rewrite the whole thing from scratch. Thanks for the link! I already had a quick look, and it seems to answer my question. I’ll give it a try tomorrow.
Potential thief can potentially access your drive in your laptop after it boots. TPM unlock removes one layer of protection once your laptop is booted.
Security rarely goes together with convenience. If you care about your portable system you’d normally employ as many as possible security measures, of course all aligned and still practical/feasible.
Next question what is the importance/price of what you want to protect 
? And what are exact your threat vectors ?
P.S.: I feel you, mine is a poem 
, but I enter it every time my PC (not even a laptop ) boots. I want as many practical barriers between the info I have and potential thief.
Sure, a thief who gains access directly through my laptop could potentially unlock the disk automatically via TPM but they’d still be faced with the lock screen. While Linux lock screens haven’t always been the most secure in the past, modern integrations like session locking have made things more reliable.
In any case, the security–convenience trade-off is acceptable for me. The data I’m trying to protect is personal information that I’d simply prefer to keep private and inaccessible to others.
Thanks, Michael, for the tips, the advice, and the link!
This afternoon I’ll try to solve the issue using that other link you shared.
The PCRs I mentioned earlier were just an example I found online I’ll actually be using different ones in the final setup.
Anyway, thanks again for the guidance!