Verify all this yourself, I’m a novice.At the very least, following these steps will make you make you susceptible to cold boot attacks. I can’t be 100% sure these commands don’t increase your attack surface further in ways I don’t understand.
The commands to run.
Most of this is derived from a guide on the framework Outlet. It was not meant for Immutable fedora, and so i’ve made my own.
This will add “tpm2-tss” to dracut, this is required for automatic decryption with systemd-cryptenroll
sudo echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "Adds tpm2-tss to the dracut configuration directory at
/etc/dracut.conf.d
Now that we’ve added that to the configuraiton, we’re ready to add it with crypt-enroll.
sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "1+3+5+7+11+12+14+15" /dev/nvme0n1p3now all that is stolen directly from here, the only part thats different on atomic fedora is the initramfs re-generation. You must enable it with rpm-ostree.
rpm-ostree initramfs --enableThis will cause rpm-ostree to rebuild your initramfs everytime you do an update or whatever.
to force a rebuild without doing an update, do this;
rpm-ostree initramfs-etc --force-syncReferencesFramework TPM2 Autodecrypt guide
Fedora Magazine Cryptenroll
Arch Wiki