Enroll LUKS and Bitlocker in TPM on Ryzen

Hi there,

after discovering that I inadvertantly posted this in “Networking”, I deleted it there and repost it here:


I am new here and find this a very cozy place with good manners and knowledgeable people, feels a little like the old days and I like it. That said, I have a little issue I wanted peoples guidance for:

I have setup my computer with two bootable NVME drives, one with Ubuntu and one with Windows 10. The OSes don’t know about each other and i select which to boot by pressing F12 after power-on.

Windows is encrypted with Bitlocker and its Key(I suppose?) seems to be enrolled in the CPU TPM because I can start without providing an encryption passphrase.

Now for Ubuntu I have to enter the encryption passphrase each time i boot. That’s kinda annoying. So I wonder if I can enroll the Windows AND Linux keys at the same time so that both SSDs can boot without the encryption passphrase?

I googled around and only found guides for one drive containing both systems and booting via grub. But that is not what I want, I hope I made myself clear, I’m german, so please forgive if i was not precise enough.

Small caveat: the machine I want to this on is my main computer, so I am a little reluctant messing it up :slight_smile:


I hope that’s ok.



Welcome to the forums, I don’t know the answer but what you mentioned interests me.

Are you sure Ryzen has a TPM on the CPU, and that what you’ve been using isn’t just a “firmware TPM”. Which isn’t exactly the same, but is very similar to using uefi variables to store your key… ie. it just protects your data from being recovered if you dispose of your hard drive.

Btw, have you checked if you have anything showing up under /sys/class/tpm?

Do you happen to have a TPM header on your motherboard? You may be able to just buy a hardware TPM for <$10?


thanks for your reply.

I did some further research in the meantime and discovered that I indeed meant fTPM (firmware TPM), I just mentioned the Ryzen CPU since i recently switched from Intel and any guides never mentioned a vendor, so I assumed they all talk about intel (since TPM stuff is usually associated with corporate IT and AMD does not seem to be too widespread, yet.

Anyway, to answer your question, yes, I have the following in /sys/class/tpm*:

ls -l /sys/class/tpm*

insgesamt 0
lrwxrwxrwx 1 root root 0 Dez 26 10:20 tpm0 -> …/…/devices/LNXSYSTM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0

insgesamt 0
lrwxrwxrwx 1 root root 0 Dez 26 10:20 tpmrm0 -> …/…/devices/LNXSYSTM:00/LNXSYBUS:00/MSFT0101:00/tpmrm/tpmrm0

(can one format code in here?)

I have found a tool that apparently originated on RHEL/Fedora, called clevis:

It seems to propose exactly as I want, but I had no luck getting it to work so far.

I cann successfully bind the LUKS volume to a key and can also list this after that:

clevis luks list -d /dev/nvme0n1p3

1: tpm2 ‘{“hash”:“sha256”,“key”:“ecc”,“pcr_bank”:“sha1”,“pcr_ids”:“7”}’

But booting does not work, in fact it just sits there showing the BIOS logo and doesn’t even ask for the key any more …

Good thing is, Windows seems unimpressed by my doing so far and boots as always.


It’s been ages since I messed with Ubuntu, is uefi loading grub that you’re then expecting to use the tpm?
… or do you have an unencrypted/boot partition?

boot partition is unencrypted, this was setup at installation when selecting encrypted LVM

No matter the operating system, some portion of the boot is unencrypted.

The TPM deals with that by using TPM Measurements. Each thing is hashed before being executed. This process requires a trusted root which is provided by Secure Boot.

The decryption key is stored on the TPM and only unlocked by the correct TPM Measurement register.

So even though the boot code is not encrypted, it cannot be changed without the TPM detecting it because the PCR hashes will not match.

If Secure Boot or a similar system isn’t used the whole process can be corrupted by lying to the TPM and sending it hashes of the original expected code while executing something else.

The topic can be changed after posting, if you are not sure how you can also PM a mod.



You can select what language to use for highlighting, see this site:

So to troubleshoot, you need to wait for your initramfs to timeout, or find some parameter for grub to pass to the command line, and to get dropped into a shell in initramfs. (last time I did this was in 2009 so i could boot my desktop from iscsi, documentation sucked and I had to read the initramfs shell scripts to figure out how to do this, ymmv).

Then, from that shell, check the state of PCRs are in your TPM , …if you have access to it in the first place…

… and check if PCRs have the data you expect.

My bet is that boot is hanging because cryptsetup open is not even being attempted and that the script is just waiting for the root device to appear for like ~2 minutes.

(I’m surprised nobody here is using a tpm with Ubuntu – then again, I don’t even have a Linux desktop and I do my luks unlocking over ssh - so maybe not that surprising).

Thank you very much, sir!

For anyone interested:

I found it (after a weekend and some eggnog :–)

I followed this guide and it just worked like a charm: https://kowalski7cc.xyz/blog/luks2-tpm2-clevis-fedora31

Don’t be irritated when the luks prompt show up and asks for a password, it will disappear a second later and just boots into Linux, great, especially on this dualboot-machine. Entering that password got really annoying.

The only thing you need is a reasonably new machine with a TPM2, TPM1.2 will not work, I “verified” that on my test-machine which straight refused it. Then I took the plunge on the zenmaster (main machine) and just tried it, what are backups for?

Luckily I didn’t need a backup.


1 Like

On Ubuntu 20.04 (will add an update if I have problems with next LTS)
I fallowed everything in that guide, but there were some small differences:
I had to also install clevis-tpm2 with apt install clevis-tpm2
then I had to use:
clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'