TPM disk unlock

Note

This guide assumes that you have set up secure boot.

Setup

With secure boot in place, TPM can be used to automatically unlock encrypted partitions.

1. Enable TPM in the BIOS.

2. For each encrypted partition, setup disk unlock by replacing <encrypted-partion> with its identifier, e.g. nvme0n1p1, sda1 or disk/by-label/NIXOS.

   NixOS

   sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 /dev/<encrypted-partition>

Troubleshooting

Outdated TPM disk unlock

After an OS or UEFI update using TPM disk unlock, the disks may not be automatically unlocked and you will be prompted for the encryption password on boot. The following steps might resolve this issue.

1. For each encrypted partition, remove disk unlock by replacing <encrypted-partion> with its identifier.

   NixOS

   sudo systemd-cryptenroll --wipe-slot tpm2 /dev/<encrypted-partition>

2. Setup TPM disk unlock again.

Further reading

• TPM disk unlock on Nix