documentation/docs/alpine-desktop-setup/post-install/automatic-decryption.md

# Automatic decryption

Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.

If `home-manager` was installed correctly then it should have also installed both `clevis` and `tpm2-tools`. This allows for the binding of the LUKS volume to TPM with clevis:

```
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
```

After rebooting it should automatically decrypt your disk.

Clevis can be envoked again if you have made any changes to secureboot or to the system and it doesn't automatically decrypt the disk.

First find the keyslot clevis is using and then regenerate the key:

```
# cryptsetup luksDump /dev/<disk2>
# clevis luks regen -d /dev/<disk2> -s <keyslot>
```

If done correctly it should now work again.