Fedora Linux LUKS Encryption with TPM Unlock

Written by

Windows has BitLocker, Linux has LUKS as Full Disk Encryption, but by default LUKS doesn’t unlock via the TPM and requires a password.

There are many guides out there that show a very complex setup but for the basic encrypt the root partition and unlock it with a TPM, its actually fairly simple.

The following commands will setup your Fedora Linux (Tested with Fedora 32) LUKS boot volume to unlock automatically with the TPM.

dnf install clevis clevis-dracut clevis-luks
clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'
dracut -f

This was tested with non-Secure booting EFI.

These guides were very helpful: