Fedora Full Disk Encryption with TPM2

Automate your disk decryption

Posted: February 27, 2026

I’ve always opted for Full Disk Encryption (FDE) while setting up Fedora Workstation. While FDE offers data at rest encryption, entering a passphrase on each boot can start to become annoying –especially if you use Fedora’s offline upgrades often.

So here is a small guide on how to setup the TPM2 module to automatically decrypt LUKS partitions on Fedora, which will make life a little easier.

Before we start

Let’s first make sure that we know which encrypted LUKS partitions we want to auto-unlock at boot. You can use the lsblk command to find them.

~$ lsblk
NAME                MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0               251:0    0     8G  0 disk  [SWAP]
nvme0n1             259:0    0 476,9G  0 disk
├─nvme0n1p1         259:1    0   600M  0 part  /boot/efi
├─nvme0n1p2         259:2    0     1G  0 part  /boot
└─nvme0n1p3         259:3    0 475,4G  0 part
  └─luks-80dcf7...  252:0    0 475,3G  0 crypt /home

Find the partition number hosting the luks- partition of type crypt, it will usually contain the /home mountpoint.

In this case that would be /dev/nvme0n1p3. Use this path as target for all following steps!

Step 1: Configure Dracut

Fedora uses dracut to generate an initramfs (boot image) –which is responsible for unlocking and mounting the encrypted LUKS partition on boot.

To automatically unlock the encrypted LUKS partition, we will use the tpm2-tss dracut module to access the TPM2 chip from the initramfs.

Unfortunately, Fedora Workstation does not include this module by default, so we will need to configure dracut to include this module as follows:

echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf

Step 2: Bind LUKS to TPM2

Now we need to enroll the TPM2 chip as an alternative decryption factor for the LUKS partition. The ‐‐wipe-slot tpm2 option ensures that after successful enrollment any previous bindings are removed. Use this command every time you need to update the binding.

Remember to change /dev/nvme0n1p3 to the LUKS partition you found earlier.

sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "7" /dev/nvme0n1p3

More details about the PCRs numbers can be found in the Selecting other PCRs section below.

Warning: Make sure Secure Boot is active and in user mode when binding to PCR 7, otherwise, unauthorized boot devices could unlock the encrypted LUKS partition.

Step 3: Build the new initramfs

Create the new boot image with dracut. The dracut command auto-detects the current running kernel, older installed kernels are not effected and can be used as a recovery should issues arise.

sudo dracut --force

Step 4: Verify before rebooting

Now is a good time to verify that all things are good-to-go before you reboot.

Verify TPM2 enrollment worked, remember to change /dev/nvme0n1p3 to the LUKS partition you found earlier.

sudo cryptsetup luksDump /dev/nvme0n1p3 | grep --after-context=5 "systemd-tpm2"

# Should return the following:
#   0: systemd-tpm2
#       tpm2-hash-pcrs: 7
#       tpm2-pcr-bank:  sha256

Verify dracut included the tpm2-tss module in the boot image.

sudo lsinitrd "/boot/initramfs-$(uname -r).img" | grep --ignore-case "tpm2"

Step 5: Reboot

It’s time to reboot your Fedora system and watch the boot process.

If it works: No password prompt is shown, boots straight to the login screen.
If it fails: Displays password prompt, enter your password as usual and verify the previous steps again.

Step 6: Apply to older kernels

If the LUKS partition auto-unlocked successfully, you can regenerate the initramfs for all kernels using the --regenerate-all option. This may take a while to complete.

sudo dracut --force --regenerate-all

Now all future kernel updates will automatically include the necessary dracut module and auto-unlock your LUKS partition.

Rebinding after updates

It may happen that after a kernel or firmware upgrade, the auto-unlock stops working. In that case enter your password as usual and run the systemd-cryptenroll command from Step 2: Bind LUKS to TPM2 again.

Selecting other PCRs

A summary of what is measured into which PCRs according to the spec:

PCR 0: the EFI Firmware info like its version
PCR 1: additional config and info related to the EFI Firmware
PCR 2: EFI drives from hardware components (like RAID controller)
PCR 3: additional config and info to drivers stored in 2
PCR 4: pre-OS diagnostics and the EFI OS Loader
PCR 5: config of the EFI OS Loader and GPT table
PCR 6: is reserved for host platform manufacturer variables and is not used by EFI
PCR 7: stores secure boot policy configuration

The combination of PCRs to bind to depends on the individual case to balance usability and lock-down. For example, you may require UEFI firmware updates without manual intervention to the Secure Boot state. As another example, Microsoft’s Bitlocker prefers PCR 7+11, but may also use other PCR combinations.

– ArchWiki: Systemd-cryptenroll

Removing TPM2

Only run the following commands if you wish to remove TPM2 auto-unlock for your LUKS partition.

# Remove tpm2-tss dracut module
sudo rm /etc/dracut.conf.d/tpm2.conf

# Regenerate initramfs images, this may take a while
sudo dracut --force --regenerate-all

# Remove TPM2 enrollment from your LUKS partition
sudo systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1p3

References

Posts that helped me write this guide and setup auto LUKS decryption:

Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk - Fedora Magazine
Auto-unlock LUKS with TPM on Ubuntu 24.04 - Calum Lind, who provided useful verification steps for this guide