How to use TPM2 Module with LUKS

Aipathon · 2026-01-07 18:34:56

So, I have the following problem. I have my Harddrive encrypted with LUKS and want to make use of my TPM2 Module for automatic decryption. So I started to dig into it. I first followed this guide. (Tl;dr: verifying tpm2 support, install tpm2-tools and enable tpm2-abrmd service). Next I wanted to create my keys, a keyslot and seal the key to the tpm as it has been stated here.

# Create a new key slot
sudo cryptsetup luksAddKey /dev/sda1 /root/tpm_key
# Seal the key to the TPM
sudo tpm2_createprimary -C o -c primary.ctx
sudo tpm2_create -C primary.ctx -u key.pub -r key.priv -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt" -L "sha256:0000000000000000000000000000000000000000000000000000000000000000" -i /root/tpm_key -o sealed_key

I manually had to add the keyslot file for cryptsetup to work (sudo touch /root/tpm_key), but that was not to much of a problem.
The next problem happened when trying to bind the key to the tpm (the last command). I got the Error Message

Could not convert "sha256:0000000000000000000000000000000000000000000000000000000000000000" . Neither a filepath nor hexstring.
ERROR: unable to run tpm2_create

A quick look into the documentation of tpm2_create shows, that the -L option is optional. Leaving it out produces even more errors (it causes a TPM Error and it needs the policy scheme that should be provided using -L), so seems like I cant just leave it out.

A few quick looks later I discover tpm2_createpolicy that should be capable of creating a policy for tpm_create. However, I could not decipher how to actually create such a policy.

I quickly found out (due to error messages), that tpm2_create currently only supports policycreation according to the pcr policy. So I tried running

tpm2_createpolicy ----policy-pcr -L policy.file

only to retreive the Error "No selection PCR data specified". A quick look into the example command provided showed, that i need to get a pcr policy file. After some more search I finally found something that looked almost like a "tutorial" on how I can finally get this god damn policyfile, which I followed as stated below:

tpm2_createprimary -C e -g sha256 -G ecc -c primary.ctx
tpm2_pcrread -o pcr.dat "sha1:0,1,2,3"
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -f pcr.dat -L policy.dat

Everything worked until the last command which would have created my precious policy. What Error did I got? "ERROR: Could not parse PCR selections" was what it threw at me. I dont get it, I literally followed the exact same steps the instructions did, and it still does not work. Up to this point it has been quite a journey, but I still knew where I had to look to eventually get everything working, but at this point I have literally zero idea, what I can try to do.

So, does anyone know how I can get this pcr policy (hoping that this finally enables me to bind the LUKS keys to the TPM) or does anyon know any other solution how I can use my tpm module to hold the keys for LUKS.

Ps.: Before some asks, yes the device in question has a tpm 2.0 chip.

Last edited by Aipathon (2026-01-07 18:36:00)

system72 · 2026-01-08 05:34:31

third party guides like this are not supported here, only the official arch wiki is supported, follow this instead:

https://wiki.archlinux.org/title/Dm-cry … ecure_Boot

specifically 3.7 and 3.8

Arch Linux

#1 2026-01-07 18:34:56

How to use TPM2 Module with LUKS

#2 2026-01-08 05:34:31

Re: How to use TPM2 Module with LUKS

Board footer