I’ve been following the wiki articles SDB:Encrypted root file system#Unattended boot with TPM 2.0 and partially SDB:LUKS2, TPM2 and FIDO2 to try to enable TPM2 automatic decryption on my system. I’ve already managed to convert my LVM encrypted partition from LUKS1 to LUKS2, here is the partition scheme:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 260M 0 part /boot/efi
└─nvme0n1p2 259:2 0 476.7G 0 part
└─cr_nvme-eui.0025388801b7548c-part2 254:0 0 476.7G 0 crypt
├─system-root 254:1 0 163.8G 0 lvm /root
│ /var
│ /usr/local
│ /boot/grub2/x86_64-efi
│ /srv
│ /boot/grub2/i386-pc
│ /opt
│ /.snapshots
│ /
├─system-swap 254:2 0 15.3G 0 lvm [SWAP]
└─system-home 254:3 0 297.6G 0 lvm /home
I have followed basically any step in the sections linked above, but this is what happens when I boot the system:
error: ../../grub-core/tpm2/module.c:796: Failed to load sealed key (TPM2 Load: 0x1df).
error: ../../grub-core/disk/cryptodisk.c:1191:no key protector provided a usable key for hd0.gpt2 (05e539f6-eff4-4828-bccb-53ba9cef865f).
Enter passphrase for hd0.gpt2 (05e539f6-eff4-4828-bccb-53ba9cef865f):
What could be the reason?