TPM Enroll After BIOS Update

Use the command luksDump to check the slot that is associated with the TPM and identify the token ID they will appear under the sections “Keyslots” and “Tokens”. The token named systemd-tpm2 should have a keyslot associated.

cryptsetup luksDump /dev/nvme0n1p2

Now delete both, keyslot and token.

cryptsetup luksKillSlot /dev/nvme0n1p2 <SLOTID>
cryptsetup token remove --token-id=<TOKENID> /dev/nvme0n1p2

Finally enroll the TPM again.

systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2