Declarative way of doing FDE + TPM2

I would like to achieve the setup in a declarative way. Currently doing this:

  1. Enabling boot.initrd.systemd.enable
  2. Using the command sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<my encrypted device>

Related post: Full disk encryption + TPM2

1 Like


so if I understand, you are wondering if there is a way to run systemd-cryptenroll from your config files.

In this case, I do not know, but I suppose there should be…
It would be nice to include all the setup stuff into a nix file


1 Like