cas-- · December 30, 2025 22:17 · cas-- · Dec 29, 2025
diff --git a/tpm-reenroll.sh b/tpm-reenroll.sh
 #!/bin/bash
 set -e

 # Check if running as root
 if [ "$EUID" -ne 0 ]; then 
    echo "This script must be run as root. Please use: sudo tpm-reenroll"
    exit 1
 fi

 # CONFIGURATION - Change this to match what you used initially!
 PCR_SET="7"  # Use "0" if you enrolled with PCR 0

 # Colors for pretty output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m'

 echo -e "${YELLOW}TPM2 LUKS Re-enrollment Tool${NC}"
 echo "================================"

 # Find your LUKS partition
 LUKS_DEV=$(blkid -o device --match-token TYPE=crypto_LUKS)
 if [ -z "$LUKS_DEV" ]; then
    echo -e "${RED}Error: No LUKS device found${NC}"
    exit 1
 fi

 echo -e "${GREEN}Found: $LUKS_DEV${NC}"
 echo ""

 # Show current state
 echo "Current TPM2 enrollment:"
 cryptsetup luksDump "$LUKS_DEV" | grep -A5 "systemd-tpm2" || echo "No TPM2 token found"
 echo ""

 echo "Current PCR values (what TPM sees now):"
 tpm2_pcrread "sha256:${PCR_SET//+/,}" || {
    echo -e "${RED}Can't read TPM - is it accessible?${NC}"
    exit 1
 }
 echo ""

 # Confirm before proceeding
 echo -e "${YELLOW}Re-enroll $LUKS_DEV with PCRs: $PCR_SET?${NC}"
 read -p "Continue? [y/N] " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Cancelled."
    exit 0
 fi

 # Do the thing
 echo "Wiping old TPM2 enrollment..."
 systemd-cryptenroll --wipe-slot=tpm2 "$LUKS_DEV" 2>/dev/null || true

 echo "Enrolling with PCRs: $PCR_SET..."
 systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="$PCR_SET" "$LUKS_DEV" || {
    echo -e "${RED}Enrollment failed!${NC}"
    exit 1
 }

 echo ""
 echo -e "${GREEN}✓ Re-enrollment complete!${NC}"
 echo ""
 cryptsetup luksDump "$LUKS_DEV" | grep -A5 "systemd-tpm2"

 # Update grub to handle potential PCR value changes
 echo ""
 echo "Updating GRUB configuration..."
 update-grub

 echo ""
 echo -e "${GREEN}All done! Reboot to test.${NC}"
	#!/bin/bash
	set -e

	# Check if running as root
	if [ "$EUID" -ne 0 ]; then
	echo "This script must be run as root. Please use: sudo tpm-reenroll"
	exit 1
	fi

	# CONFIGURATION - Change this to match what you used initially!
	PCR_SET="7" # Use "0" if you enrolled with PCR 0

	# Colors for pretty output
	RED='\033[0;31m'
	GREEN='\033[0;32m'
	YELLOW='\033[1;33m'
	NC='\033[0m'

	echo -e "${YELLOW}TPM2 LUKS Re-enrollment Tool${NC}"
	echo "================================"

	# Find your LUKS partition
	LUKS_DEV=$(blkid -o device --match-token TYPE=crypto_LUKS)
	if [ -z "$LUKS_DEV" ]; then
	echo -e "${RED}Error: No LUKS device found${NC}"
	exit 1
	fi

	echo -e "${GREEN}Found: $LUKS_DEV${NC}"
	echo ""

	# Show current state
	echo "Current TPM2 enrollment:"
	cryptsetup luksDump "$LUKS_DEV" \| grep -A5 "systemd-tpm2" \|\| echo "No TPM2 token found"
	echo ""

	echo "Current PCR values (what TPM sees now):"
	tpm2_pcrread "sha256:${PCR_SET//+/,}" \|\| {
	echo -e "${RED}Can't read TPM - is it accessible?${NC}"
	exit 1
	}
	echo ""

	# Confirm before proceeding
	echo -e "${YELLOW}Re-enroll $LUKS_DEV with PCRs: $PCR_SET?${NC}"
	read -p "Continue? [y/N] " -n 1 -r
	echo
	if [[ ! $REPLY =~ ^[Yy]$ ]]; then
	echo "Cancelled."
	exit 0
	fi

	# Do the thing
	echo "Wiping old TPM2 enrollment..."
	systemd-cryptenroll --wipe-slot=tpm2 "$LUKS_DEV" 2>/dev/null \|\| true

	echo "Enrolling with PCRs: $PCR_SET..."
	systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="$PCR_SET" "$LUKS_DEV" \|\| {
	echo -e "${RED}Enrollment failed!${NC}"
	exit 1
	}

	echo ""
	echo -e "${GREEN}✓ Re-enrollment complete!${NC}"
	echo ""
	cryptsetup luksDump "$LUKS_DEV" \| grep -A5 "systemd-tpm2"

	# Update grub to handle potential PCR value changes
	echo ""
	echo "Updating GRUB configuration..."
	update-grub

	echo ""
	echo -e "${GREEN}All done! Reboot to test.${NC}"
No results found