Ubuntu 20.04 clevis-luks setup auto unlocking not working

I have an Ubuntu 20.04 machine setup that I am trying to configure for disk encryption. I am trying to setup auto unlock, but my configuration has not worked so far, and I am always prompted for a password.

To do this I followed the following steps:

  1. sudo apt-get update and sudo apt-get install cryptsetup
  2. Check /dev/nvme0n1p3 -> sudo cryptsetup luksDump /dev/nvme0n1p3 -> No Tokens or Keyslots
  3. Install clevis, clevis-luks, clevis-dracut, clevis-udisks2, clevis-systemd, clevis-tpm2
  4. sudo clevis luks list -d /dev/nvme0n1p3 -> Empty
  5. echo <my password> | sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }'
  6. sudo dracut -fv --regenerate-all
  7. Check sudo clevis luks list -d /dev/nvme0n1p3 -> 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"7,11"}'
  8. lsblk -o NAME,UUID,MOUNTPOINT ->
├─nvme0n1p1                 <uuid1>                              /boot/efi
├─nvme0n1p2                 <uuid2>   /boot
└─nvme0n1p3                 <uuid3>   
  └─dm_crypt-0              <uuid4> 
    └─ubuntu--vg-ubuntu--lv <uuidd5>   /
  1. cat /etc/crypttab -> dm_crypt-0 UUID=<uuid3> none luks

When booting I do not notice any errors for cryptsetup, luks, tpm2. Googling around and checking others questions, I have also verified tried:

  1. sudo systemctl enable clevis-luks-askpass.path
  2. update-initramfs -c -k all -> Runs successfully

My fstab file doesn’t actually list the encrypted partition:
cat /etc/fstab ->

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/<Some id which I don't know the origin of> / ext4 defaults 0 1
# /boot was on /dev/nvme0n1p2 during curtin installation
/dev/disk/by-uuid/<uuid2> /boot ext4 defaults 0 1
# /boot/efi was on /dev/nvme0n1p1 during curtin installation
/dev/disk/by-uuid/<uuid1> /boot/efi vfat defaults 0 1
/swap.img   none    swap    sw  0   0

I’ve also tried manually adding in the partition to fstab but did not work.

No matter what I try, it always asks for password on boot.

What could I do to fix this?

Asked By: Niru


I was missing: clevis-initramfs that needed to be installed. Once added the auto unlocker worked.

Answered By: Niru
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.