#!/bin/bash
set -e

CRYPTFS=/dev/nvme0n1p3

echo "creating secret key"
tpm2_getrandom 32 -o /root/keys/fde-secret.bin
chmod 600 /root/keys/fde-secret.bin
cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin
mkdir -p /root/keys
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context

# /usr/sbin/update-luks-tpm.sh #not reqired before reboot