First you need to enable Secure Boot and TPM to enable Clevis-TPM2. You need to check those settings in your BIOS settings.

For Secure Boot, if you are using Ubuntu or Fedora, you can simply factory reset it and trust 3rd party certs. But if you are using other OS, you may need to manually configure your system to trust third-party certificates for Secure Boot. The exact steps required will depend on your specific operating system and hardware configuration.

Generally, you will need to generate a new key pair and certificate for your system, sign your boot loader and kernel with the new key, and then enroll the key in your system's Secure Boot database.

The specific steps required will vary depending on your system and the version of Secure Boot that it supports. You may need to consult your system's documentation or seek assistance from a knowledgeable technical expert to properly configure Secure Boot on your system.


To automatically unlock a LUKS2 encrypted system partition using Clevis, you need to install the clevis and clevis-tpm2 packages. Use the following command to install them:

sudo dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd


Use fdisk -l and lsblk to locate your system partition.

Once installed, you need to bind the TPM2 key to Clevis using the following command:

sudo clevis luks bind -d /dev/sdaX tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

Replace /dev/sdaX with your system partition. This command creates a key on the TPM2 chip and binds it to the LUKS2 encrypted system partition.

You will be prompted to enter your passkey.

Finally, update the system files to use Clevis to automatically unlock the system partition using the following command:

sudo dracut -f

This updates the initramfs file to include Clevis and configures the system to automatically unlock the LUKS2 encrypted system partition using Clevis. Note that this may take some time depending on your system configuration and hardware performance.

After completing these steps, your system partition will unlock automatically without the need to enter a password or key manually.