====== LUKS ======
===== Mount encrypted partition =====
<code bash>
cryptsetup luksOpen /dev/mmcblk1p3 mmcblk2p3_crypt
mount /dev/vgkubuntu/root /target # use lvdisplay and lsblk to find the volume
</code>

==== Grow partition ====
Note: filesystem should not be mounted when resizing
  * https://www.redhat.com/sysadmin/resize-lvm-simple
===== Change key of encrypted partition =====
<code bash>
cryptsetup luksChangeKey /dev/sdX
</code>


===== Extend encrypted partition =====
  * https://unix.stackexchange.com/a/322631

===== Setup automatic unlock =====
<code bash>
apt install -y clevis clevis-luks clevis-udisks2 clevis-systemd clevis-tpm2 clevis-initramfs
clevis luks bind -d /dev/mmcblkp3 tpm2 '{"pcr_ids":"1,7","key":"rsa"}'
systemctl enable clevis-luks-askpass.path
update-initramfs -u -k all
</code>

==== Troubleshooting ====
If it doesn't work it might be due to wrong ''pcr_bank'' or ''key'' used.
The PCR banks can be checked with ''tpm2_pcrread''.
==== Regenerate ====
If automatic unlock does not work anymore it needs to be regenerated.
First list the used slots:
<code bash>
clevis luks list -d /dev/nvme0n1p3
</code>

Then regenerate the used slot:
<code bash>
clevis luks regen -d /dev/nvme0n1p3 -s 1
</code>

==== Change PCRs ====
To change PCRs you first need to delete the key and then re-add using the wanted PCRs.

List the used slots:
<code bash>
clevis luks list -d /dev/nvme0n1p3
</code>

Remove the slot:
<code bash>
clevis luks unbind -d /dev/nvme0n1p3 -s 1 -f
</code>
Note: ''-f'' will not ask for confirmation but is needed if there is no other slot set up.

After that re-add the key like above.

===== References =====
  * https://tqdev.com/2023-luks-recovery-from-initramfs-shell
  * https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
  * https://github.com/latchset/clevis/issues/165
  * https://unix.stackexchange.com/questions/704813/ubuntu-20-04-clevis-luks-setup-auto-unlocking-not-working
  * https://wiki.archlinux.org/title/Clevis
  * https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
  * https://www.tuxedocomputers.com/en/Infos/Help-Support/Instructions/Change-LUKS-encryption-password.tuxedo
  * https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
  * https://wiki.archlinux.org/title/Systemd-cryptenroll