I’ve wanted to avoid typing my disk encryption password at boot for a while. Reading about dracut becoming the default initramfs tool in Ubuntu 26.04 LTS, I discovered it supports using the TPM 2.0 security chip to auto-unlock encrypted partitions. With Secure Boot enabled, TPM-based unlock provides both convenience and security by only unlocking your disk on an unmodified boot chain.

This guide assumes that you have Ubuntu 24.04 with LUKS2 full disk encryption and grub bootloader on a machine with TPM 2.0 and Secure Boot enabled.

Step 1: Update and reboot if needed

Install any pending kernel updates before enrolling TPM. Rebooting into a different kernel version will bypass the TPM-enabled initramfs.

sudo apt update && sudo apt upgrade
# Reboot if a kernel was installed

Step 2: Install dracut

Use dracut as the default initramfs kernel image generator.

sudo apt install dracut tpm2-tools

Accept the apt prompt to remove initramfs-tools along with its dependencies.

Step 3: Configure dracut for TPM

Set up dracut to build initramfs with TPM support:

sudo tee /etc/dracut.conf.d/tpm2.conf > /dev/null << 'EOF'
hostonly="yes"
add_dracutmodules+=" tpm2-tss "
EOF

The hostonly flag creates a smaller, machine-specific image, appropriate since TPM binds to specific hardware anyway.

Step 4: Bind your encryption to TPM

Find your encrypted partition and enroll with TPM using PCR 7, which tracks Secure Boot state.

# Find your encrypted partition
LUKS_DEV=$(sudo blkid -o device --match-token TYPE=crypto_LUKS); echo "Found: $LUKS_DEV"

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $LUKS_DEV

You will be asked for your LUKS password:

🔐 Please enter current passphrase for disk /dev/nvme0nXpX: •••••••    
New TPM2 token enrolled as key slot 1.

Step 5: Build the new boot image

Create a backup of current initramfs then create new boot image with dracut:

sudo cp /boot/initrd.img-$(uname -r) /boot/initrd.img-$(uname -r).backup
sudo dracut --force
sudo update-grub

The dracut command auto-detects the current kernel and will output warnings about missing optional modules which is normal. Successful image creation produces output similar to:

...
dracut[I]: *** Including module: tpm2-tss ***
...
dracut[I]: Stored kernel commandline:
dracut[I]:  rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
dracut[I]:  root=/dev/mapper/nvme0nXpX_crypt rootfstype=ext4 rootflags=rw,relatime,errors=remount-ro
...
dracut[I]: *** Creating initramfs image file '/boot/initrd.img-6.8.0-90-generic' done ***

Step 6: Verify before rebooting

# Verify TPM enrollment worked
sudo cryptsetup luksDump $LUKS_DEV | grep -A5 systemd-tpm2

# Should show something like:
#   0: systemd-tpm2
#   tpm2-hash-pcrs: 7
#   tpm2-pcr-bank: sha256

# Verify dracut included TPM2 bits
lsinitrd /boot/initrd.img-$(uname -r) | grep -i tpm2

# Confirm your backup exists
ls -lh /boot/initrd.img-$(uname -r).backup

Step 7: Reboot to check auto-unlock

sudo reboot

Watch the boot process. If it works: no password prompt, straight to your login screen.

If it fails: you’ll see the password prompt - just enter your password like normal and check the debug steps below.

Step 8: Final cleanup

If boot auto-unlocked successfully, regenerate initramfs for all kernels:

# Build initramfs for ALL your kernels (may take a minute)
sudo dracut --force --regenerate-all
sudo update-grub

# Remove backup image
sudo rm /boot/initrd.img-$(uname -r).backup

Now all future kernel updates will automatically use dracut with TPM2 support.

Re-enrollment Script

I’ve found I needed to re-enroll the encrypted partition after firmware updates or toggling secure boot. The manual steps are:

LUKS_DEV=$(sudo blkid -o device --match-token TYPE=crypto_LUKS)
sudo systemd-cryptenroll --wipe-slot=tpm2 $LUKS_DEV
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $LUKS_DEV
sudo dracut --force
sudo update-grub

I’ve wrapped these in a helper script available as the tpm-reenroll command.

If Things Go Wrong

Boot completely failed

From the GRUB menu, select “Advanced options for Ubuntu” and choose your kernel’s recovery mode. Once booted, restore the backup:

# Restore the backup permanently
sudo cp /boot/initrd.img-$(uname -r).backup /boot/initrd.img-$(uname -r)
sudo update-grub

TPM unlock stopped working but system boots fine 

# Check what happened during boot
sudo journalctl -b | grep -E "systemd-cryptsetup|tpm2|luks"
# Try re-enroll if needed.

Undo dracut setup 

# Remove dracut
sudo apt remove dracut

# Reinstall Ubuntu's default
sudo apt install initramfs-tools

# Rebuild boot image
sudo update-initramfs -u

# Remove TPM enrollment (optional - doesn't hurt to leave it)
LUKS_DEV=$(sudo blkid -o device --match-token TYPE=crypto_LUKS)
sudo systemd-cryptenroll --wipe-slot=tpm2 $LUKS_DEV

References

Official Documentation:

Community Guides (that helped inform this post):