#!/bin/bash
set -e

CRYPTFS=/dev/nvme0n1p3

echo "creating secret key"
mkdir -p /root/keys
tpm2_getrandom 32 -o /root/keys/fde-secret.bin
chmod 600 /root/keys/fde-secret.bin
cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin

# /usr/sbin/update-luks-tpm.sh #not reqired before reboot