Clevis auto decrypt not wokring ( Kali 2022.2 + LUKS + TPM2 + Clevis )

I cannot figure out how to get clevis to auto-decrypt my root partition on boot. # What I want I want to use the TPM2 chip on my kali PC to have an encrypted disk that self-decrypt on boot. The main purpose is to prevent the data leak in case of stolen drive/computer. # What I did I first encrypted in luks1 my / partition (/dev/sda2) from a bootable drive using cryptsetup-reencrypt I edited grub config, fstab and crypttab, ran update-grub and update-initramfs. This allowed me to boot on the encrypted root partition, and asks me for luks password twice I then installed clevis and binded luks to the TPM using : sudo clevis luks bind -d /dev/sda2 tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}' I can see that it used a new keyslot on luks header. I activated the service 'clevis-luks-askpass.path, updated grub and initramfs again. But on reboot, I'm still prompted for a password. I tried waiting a few minutes but nothing happens. Am I missing something ? # What I Have Partitions : I have everything in the same partition (including /boot). The only other partition is the efi **Filesystem**

$ lsblk -fs     
                    
NAME    FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda1    vfat        FAT32       08C3-0099                             510,8M     0% /boot/efi
└─sda                                                                               
root    ext4        1.0         55d30c15-a2a5-4721-b679-0e8746c54768  183,6G    16% /
└─sda2  crypto_LUKS 1           49e3950a-b1a9-449e-aeec-757bba148a84                
  └─sda

**Grub**

$ cat /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=lsb_release -i -s 2> /dev/null || echo Debian
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"

**Fstab**

$ cat /etc/fstab

# /boot/efi was on /dev/sda1 during installation
UUID=08C3-0099  /boot/efi       vfat    umask=0077      0       1
# swap was on /dev/sda3 during installation
/swapfile       none            swap    sw              0       0

# new root
UUID=49e3950a-b1a9-449e-aeec-757bba148a84 / ext4 errors=remount-ro 0 1

**Crypttab**

$ cat /etc/crypttab
#                 
root UUID=49e3950a-b1a9-449e-aeec-757bba148a84 none luks

**Clevis packages**

$ apt list --installed | grep clevis

clevis-initramfs/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-luks/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-systemd/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-tpm2/kali-rolling,now 18-2+b1 amd64  [installed]
clevis/kali-rolling,now 18-2+b1 amd64  [installed]

**clevis-luks-askpass.path**

$ sudo systemctl status clevis-luks-askpass.path

● clevis-luks-askpass.path - Forward Password Requests to Clevis Directory Watch
     Loaded: loaded (/lib/systemd/system/clevis-luks-askpass.path; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2022-07-06 14:10:04 CEST; 1h 16min ago
      Until: Wed 2022-07-06 14:10:04 CEST; 1h 16min ago
   Triggers: ● clevis-luks-askpass.service
       Docs: man:clevis-luks-unlockers(7)

Notice: journal has been rotated since unit was started, output may be incomplete.

**lsb_release**

$ lsb_release -a

No LSB modules are available.
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2022.2
Codename:	kali-rolling