From Fedora Project Wiki


A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).


Install a system with an encrypted root filesystem. See this testcase for further details.

If using a virtual machine you will need to install swtpm and swtpm-tools on the host.

sudo dnf install swtpm swtpm-tools 

Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.

How to test

Verify decryption is working via TPM2

echo foo | clevis encrypt tpm2 '{}' | clevis decrypt

Get the UUID of the encrypted device

UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1)
DEV=$(blkid --uuid $UUID)

Check encryption details of the device

cryptsetup luksDump $DEV

Verify the passphrase before setting

cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct

Setup Clevis to decrypt via TPM2 on boot

clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE

Reboot the system and see if it is booted without user intervention.


  1. The installed system should boot to log in without needing the passphrase for the encrypted filesystem.