Version 2.0.1

This is an important security release!

A missing character in the template for tpm2-getkey caused the key to be stored in plain text in that file rather than being read from the TPM2 device. Thanks to @jensaymoo for noticing the issue and having a PR ready!

The easiest way to correct the issue on a system using the old version is to download v2.0.1 or newer and run the script again. When it prompts, you can choose to either let it use the key already in the TPM2 or generate a new one. tpm2-getkey will be regenerated and initramfs will be rebuilt. If you choose to generate a new key, be aware that it will NOT remove the old one for you. To do that you will have to use cryptsetup luksRemoveKey if you have a record of the old key or find the slot it uses and use luksKillSlot.

Version 2.0.0

+Support for secondary devices
+Added menu system to select devices
+Added a lot more checks
-Temporarily removed command line parameters due to bugs

Version 1.0.0

Version 1.0.0
-Renamed to tpm2-luks-autounlock.sh
-Now accepts the device as a command line parameter. If none provided, pulls the first volume from /etc/crypttab and>
-Added check if running as root rather than using sudo (thanks zombiedk!). Resolves issue #4
-Added variable to change the key size. Defaults to 64 characters
-Added size parameter to tpm2_nvread calls to avoid warnings during unlock about reading the full index

Initial beta version

Initial release, with a few tweaks from ezaton. This has the core functionality, but very little in the way of guidance or error checking. It is good for looking past the niceties to see the meat of what the script does. It will automatically add a key to all drives in /etc/crypttab, but only the first drive in /etc/crypttab will be setup to auto unlock at boot. You will need to manually update /etc/crypttab for additional devices.