I already mentioned this issue on this thread, but it’s a pretty big one and I’m sure many have muted it. This problem is also quite annoying, so it’s becoming a bit urgent to find a solution to it.
I am using Ubuntu 24.04 on a Lenovo Thinkpad X1 Carbon Gen 11 and I am all of the sudden having issues with full-disk encryption. For an unknown reason, automatic decryption using the TPM doesn’t work anymore, and I am asked to input the whole recovery key at every boot (which is not ideal, as you may imagine).
Steps I’ve taken
I first recovered the encryption passkey from the recovery key which is shown by snap recovery --show-keys, using this script , as this seems to be the only way I could do the last step (systemd-cryptenroll).
I added a new LUKS key for convenience:
# cryptsetup luksAddKey /dev/nvme0n1p4 --key-file=/tmp/key.out
Then, I reset the TPM on the BIOS, in order to reset the encryption key, and then did:
# systemd-cryptenroll /dev/nvme0n1p4 --wipe-slot=tpm2
# systemd-cryptenroll /dev/nvme0n1p4 --tpm2-device=auto
(providing the passkey when prompted)
The commands themselves seem to work OK (no errors), but then at boot I still get a prompt asking me for the encryption passkey. I also noticed (not sure if related) that my /etc/crypttab is empty.
Does anyone have any suggestions on how to get this working again? It would be greatly appreciated.