diff --git a/homes/x86_64-linux/matt@matt-nixos/default.nix b/homes/x86_64-linux/matt@matt-nixos/default.nix
index 433be65..f8c21f6 100755
--- a/homes/x86_64-linux/matt@matt-nixos/default.nix
+++ b/homes/x86_64-linux/matt@matt-nixos/default.nix
@@ -167,6 +167,7 @@ in
     with pkgs;
     [
       bolt-launcher
+      clevis
       compose2nix
       distrobox
       heroic
diff --git a/modules/nixos/disko/default.nix b/modules/nixos/disko/default.nix
index 6b7dbc4..9cac1f9 100644
--- a/modules/nixos/disko/default.nix
+++ b/modules/nixos/disko/default.nix
@@ -72,6 +72,7 @@ let
       ];
       settings = {
         crypttabExtraOpts = [
+          "tpm2-device=auto"
           "fido2-device=auto"
           "token-timeout=10"
         ];
diff --git a/systems/x86_64-linux/matt-nixos/boot.nix b/systems/x86_64-linux/matt-nixos/boot.nix
index fb4c0f7..e8bc75a 100755
--- a/systems/x86_64-linux/matt-nixos/boot.nix
+++ b/systems/x86_64-linux/matt-nixos/boot.nix
@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   pkgs,
   namespace,
   ...
@@ -38,6 +39,14 @@ in
         "usb_storage"
         "sd_mod"
       ];
+
+      luks.devices = {
+        cryptroot = {
+          device = "/dev/disk/by-partlabel/disk-main-matt-nixos-cryptroot";
+          allowDiscards = true; # Used if primary device is a SSD
+          preLVM = true;
+        };
+      };
     };
 
     kernelPackages = kernel;
@@ -56,7 +65,10 @@ in
 
   nixpkgs.crossSystem.system = "aarch64-linux";
 
-  environment.systemPackages = with pkgsVersion; [
-    edk2-uefi-shell
-  ];
+  environment = {
+    etc."clevis/disk.jwe".source = ./disk.jwe;
+    systemPackages = with pkgsVersion; [
+      edk2-uefi-shell
+    ];
+  };
 }
diff --git a/systems/x86_64-linux/matt-nixos/disk.jwe b/systems/x86_64-linux/matt-nixos/disk.jwe
new file mode 100644
index 0000000..eb9e060
--- /dev/null
+++ b/systems/x86_64-linux/matt-nixos/disk.jwe
@@ -0,0 +1 @@
+eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlMQkd0N0NaMHYyM00tMW9UMmtrVDVySkVQdENraXNVWXNlbFZQS0VnZHhUQUJDVDJfZ2V0dEFjeFFWOW5NRWR6cUYzUmZuUV9Qc3BjS0tmQmwwZ0ROeWxQdy1ha0hQY0Z4dndjaGFZU0s4aTFodU1fa0N4UzVFZUl0OVhuR0RxQWJCQjk5YkU2MHVoUFRQOUNrTXV2dUI1aTZJb3VCOWY0SmJLb3RtSy1ucFdjNUhfZm5QR0NEYUFlNmxoeEZHbWVjZFlScEp3WVl2dk9mb2NkSGJzTldkRFN2MkxqZmpZTHhjNWRVdFZBUC1yVWN4cVU3TDRnOC11Y1BXQ3kyOTNOMWRQYmloSU5ZVG5JQWpjNE5wRlExdy05UTJ4Uzl2cHJVR093T1ZfS0Y5TkdqYy02NUtkMVh0aEJtNEYiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQVhjUDZ0bWZYbzNIRDdZVldLbGlubW1KYmsxYnFXNUJWUTdVb0E0VVhfcyIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..ufmRm2a8gElU1nwP.LswjjMZH_-Yt9lM.STkxaAJ9L3XReZKevTKpKw
\ No newline at end of file