Ubuntu 24.04.3 + TPM 2.0 Full-Disk Auto-Unlock

🧰 Requirements

• Ubuntu 24.04.3 (kernel 6.8 + systemd 255)
• A LUKS2-formatted encrypted root or data device
• A visible TPM 2.0 device (/dev/tpmrm0)
• Sudo privileges

---

1️⃣ Install required packages

sudo apt update
sudo apt install -y clevis clevis-tpm2 clevis-initramfs tpm2-tools

These provide TPM2 support and add Clevis hooks to your initramfs.

---

2️⃣ Verify TPM is working

ls /dev/tpm*
sudo tpm2_getcap pcrs | grep -A5 "sha"

✅ You should see /dev/tpmrm0 and PCR banks such as sha256.

---

3️⃣ Bind your LUKS volume to the TPM 2.0

Replace /dev/sda3 with your encrypted partition:

sudo clevis luks bind -d /dev/sda3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}'

• Enter your existing LUKS passphrase when asked.
• On success, you’ll see: Successfully bound device /dev/sda3 with TPM2

PCR 7 measures Secure Boot state — safe and reliable for most setups.

---

4️⃣ Rebuild initramfs

Make sure the Clevis unlock logic is included at boot:

sudo update-initramfs -u

---

5️⃣ Reboot and test

Reboot your system:

sudo reboot

✅ If the TPM and PCR values match, the disk unlocks automatically. ❌ If the TPM can’t unseal (PCR mismatch, TPM cleared, etc.), you’ll be asked for your passphrase.

---

6️⃣ (Optional) Verify the binding

After boot:

sudo clevis luks list -d /dev/sda3

You’ll see a JSON entry showing the TPM2 binding.

---

🧠 Key points to remember

Purpose	Tool	Works on 24.04.3?
TPM auto-unlock	Clevis TPM2	✅ Stable
systemd TPM unlock	systemd-cryptenroll	⚠️ Partial support only
Token listing (--list)	systemd-cryptenroll --list	❌ Unavailable
Initramfs framework	Legacy (initramfs-tools)	✅ Used by Clevis hooks

---

⚡ TL;DR

sudo apt install -y clevis clevis-tpm2 clevis-initramfs tpm2-tools
sudo clevis luks bind -d /dev/sda3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}'
sudo update-initramfs -u
sudo reboot

That’s it — your Ubuntu 24.04.3 system now uses the TPM 2.0 to automatically unlock the encrypted disk at boot.