| README.md | ||
Fedora Linux – TPM2-Backed Full Disk Encryption (Secure Boot)
This repository documents a production-ready, reproducible setup for unlocking a LUKS2 full-disk-encrypted Fedora system using TPM 2.0, while keeping UEFI Secure Boot enabled.
The design goal is simple:
- 🔐 Maintain strong Full Disk Encryption (FDE)
- 🔑 Eliminate manual passphrase entry on normal boots
- 🛡️ Preserve Secure Boot and measured boot guarantees
- 🧯 Retain a passphrase fallback for recovery and maintenance
This setup uses first-class Fedora tooling (systemd-cryptenroll, dracut) — no
third‑party hacks.1
System Overview
Hardware
- Model: Dell Precision 5540
- Firmware: UEFI
- TPM: TPM 2.0
- Storage: NVMe SSD
Operating System
- Distribution: Fedora Linux 43
- Edition: Workstation
- Initramfs: dracut (systemd-based)
- Boot mode: UEFI + Secure Boot enabled
- Disk encryption: LUKS2 (root filesystem)
Firmware & Platform Prerequisites (Out of Scope)
This setup REQUIRES Secure Boot and TPM 2.0 to be enabled in BIOS/UEFI firmware.
Required firmware state:
- UEFI Secure Boot: Enabled and enforcing
- TPM: Version 2.0 present and enabled
Configuration steps for enabling Secure Boot, activating TPM, or verifying TPM version are device- and vendor-specific (Dell, Lenovo, HP, firmware revisions, etc.) and are therefore out of scope for this document.
This document assumes that, on the target device:
- Secure Boot is already enabled
- TPM version is 2.0
- TPM is enabled and visible to the operating system
Verification from Linux:
ls -l /dev/tpm* /sys/class/tpm/
If these prerequisites are not met, TPM2-based auto-unlock will not function, and the system will fall back to manual LUKS passphrase entry.
Multilingual Keyboard Layout Considerations (Early Boot)
On systems configured with multiple keyboard layouts (e.g. US + non-US), early boot
(initramfs, LUKS prompt) may not match the desktop keymap. The prompt uses the default
initramfs keymap, layout switching is unavailable, and some updates can temporarily
reset the keymap (often to us). This can cause “wrong” keystrokes and unlock failures.
This behavior is expected and documented.2
Mitigation strategies
- Use a layout-agnostic passphrase (ASCII-only) or configure the console keymap.
- Keep a fallback unlock method and boot a previous known-working kernel if needed.
For details and discussion, see Fedora’s official community guidance: 3
Security Model
A TPM2-sealed key is enrolled into the LUKS2 container using systemd-cryptenroll.
At boot time:
- Firmware verifies the boot chain (Secure Boot)
- The TPM measures the boot state into PCRs
- The TPM releases the disk key only if measurements match
- Fedora unlocks the root filesystem automatically
If measurements do not match:
- TPM refuses to release the key
- Fedora prompts for the LUKS passphrase instead
This is expected and intentional behavior.
PCR Policy
- PCR 7 is used
Why PCR 7:4
- Reflects Secure Boot and kernel trust state
- Stable across normal kernel updates
- Detects bootloader or policy tampering
- Recommended balance of security vs usability on Fedora
Implementation Summary
1. Enroll TPM2 unlock key5
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/nvme0n1pX
2. Enable TPM2 unlocking in crypttab6
luks-<LUKS_UUID> UUID=<LUKS_UUID> none discard,tpm2-device=auto
3. Ensure TPM2 support in initramfs
echo 'add_dracutmodules+=" tpm2-tss "' | sudo tee /etc/dracut.conf.d/tpm2.conf
sudo dracut -f
4. Reboot and validate
- Normal boot → auto-unlock
- Unexpected state → passphrase prompt
Recovery & Safety Notes
⚠️ Always keep at least one traditional LUKS passphrase slot.
Situations where the passphrase may be required:
- Firmware / BIOS updates
- Secure Boot configuration changes
- TPM reset or replacement
- Disk moved to another system
To remove the TPM2 slot:
sudo systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1pX
Example and Verification Checklist:
The following example output demonstrates a correctly configured system. All identifiers are anonymised.
✅ TPM2 support included in initramfs
⚠️ Check first! on Fedora Linux 43 (Workstation Edition) that is default:
cat /etc/dracut.conf.d/tpm2.conf
# expected output:
add_dracutmodules+=" tpm2-tss "
If not, you can add it:
echo 'add_dracutmodules+=" tpm2-tss "' > /etc/dracut.conf.d/tpm2.conf
Ensures TPM libraries are available during early boot.
✅ TPM2 auto-unlock enabled in crypttab
luks-<LUKS_UUID> UUID=<LUKS_UUID> none discard,tpm2-device=auto
Instructs systemd to attempt TPM-based unlock before prompting.
✅ LUKS2 confirmed
Version: 2
systemd-cryptenroll requires LUKS2.
✅ Disk and filesystem layout
/boot/efi -> vfat (UEFI)
/boot -> ext4
/ -> LUKS2 → Btrfs
/home -> Btrfs subvolume
Typical Fedora Workstation Secure Boot layout.
✅ TPM device exposed by kernel
/dev/tpm0
/dev/tpmrm0
Confirms a functional TPM 2.0 device.
Sources & References
License
Documentation only. Free to use, adapt, and improve.
-
systemd documentation – systemd-cryptenroll(1)
https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html ↩︎ -
Fedora Discussion – Real-world TPM2 + LUKS setups
https://discussion.fedoraproject.org/ ↩︎ -
Fedora Discussion – Keyboard layout issues at LUKS prompt
https://discussion.fedoraproject.org/t/how-to-change-layout-in-luks-passphrase/145687 ↩︎ -
Fedora Documentation – UEFI Secure Boot
https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html ↩︎ -
Fedora Magazine – TPM2 auto-unlock with systemd
https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/ ↩︎ -
Fedora Magazine – Automatically decrypt your disk using TPM2
https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/ ↩︎