documentation/docs/alpine-desktop-setup/post-install/automatic-decryption.md

Automatic decryption

Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.

First off the packages clevis and tpm2-tools have to be installed:

# <apk add tpm2-tools>
$ <nix-shell -p clevis>

Not yet doable (but will be don't worry ;) )

Now bind our LUKS volume to TPM with clevis:

# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'

After rebooting it should automatically decrypt your disk.

Clevis can be envoked again if you have made any changes to secureboot or system and it doesn't automatically decrypt the disk.

First find the keyslot clevis is using and then "regen" the key:

# cryptsetup luksDump /dev/<disk2>
# clevis luks regen -d /dev/<disk2> -s <keyslot>

It should now work again.