From c91f1a3db864650166d1b635470119b5072d7c41 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 5 Jun 2025 14:40:42 +0200
Subject: [PATCH] man: suggest using --unlock-tpm2-device=auto in cryptenroll
 example

When refreshing a tpm2 enrollment, it makes sense to use tpm2 to unlock
the device.

Fixes: #35279
---
 man/systemd-cryptenroll.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 5572510e1ff..e27ae4288e0 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -699,7 +699,7 @@
         added slot is always excluded from the wiping. Combining enrollment and slot wiping may thus be used to
         update existing enrollments:</para>
 
-        <programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=tpm2 --tpm2-device=auto</programlisting>
+        <programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=tpm2 --tpm2-device=auto --unlock-tpm2-device=auto</programlisting>
 
         <para>The above command will enroll the TPM2 chip, and then wipe all previously created TPM2
         enrollments on the LUKS2 volume, leaving only the newly created one. Combining wiping and enrollment
-- 
2.47.3