Hi guys.

Is this a misbehavior of some sorts? I encrypt: -> $ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p3 but unless there is only one keyslot (my even have any ID) or perhaps if it was first - but have not tired it - then 'cryptset' does not open the device @boot. From what I understand 'cryptsetup' tires all keyslots. I was thinking of 'timeout' but cryptsetup does not report any such issues, simply boot stops, waiting for a passphrase. I other words: I need to remove all keyslots, old ones, enrolled in the past for which TPMs do not exists any more, except for the one I know is valid, only then system boots with TPM, not passphrase.

any thoughts much appreciated. many thanks, L.