First step: install tpm2-tss, tpm2-tools and all its depedencies.
```bash
# Install dependencies
sudo apt-get update && sudo apt-get -y install autoconf autoconf-archive automake libtool pkg-config gcc libssl-dev libcurl4-gnutls-dev doxygen

# Install tpm2-tss
git clone https://github.com/tpm2-software/tpm2-tss.git
cd tpm2-tss
git checkout e05d28ec  # I used this particular commit
./bootstrap
./configure --prefix=/usr
make -j5
sudo make install

# Install tpm2-tools
git clone https://github.com/tpm2-software/tpm2-tools.git
cd tpm2-tools
git checkout 446b4f37 # I used this particular commit
 ./bootstrap
 ./configure --prefix=/usr
 make -j5
 sudo make install
```

Second step: create a secret key and add it to the cryptsetup.
```bash
# Create secret and add to cryptsetup
sudo dd if=/dev/urandom of=/secret.bin bs=32 count=1
sudo chmod 700 /secret.bin
sudo cryptsetup luksAddKey /dev/sda<x> /secret.bin
```
*replace the ```<x>``` with your own value.

Third step: load the secret key into the TPM and make it persistent.
```bash
# Enable and clear your tpm in your BIOS first to start with a clean TPM

# Create primary TPM object
sudo tpm2_createprimary -c primary.ctx

# Create PCR Policy against PCR 0-7 
sudo tpm2_createpolicy --policy-pcr -l sha1:0,1,2,3,4,5,6,7 -L policy.digest 

# Create tpm object
sudo tpm2_create -C primary.ctx -u obj.pub -r obj.priv -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /secret.bin

# Flush transient handles (making some room in the memory for the TPM)
sudo tpm2_flushcontext -t

# Load object into the TPM
sudo tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c load.ctx

# Make object persistent
sudo tpm2_evictcontrol -c load.ctx

# Flush transient handles
sudo tpm2_flushcontext -t

# List persistent handles
sudo tpm2_getcap handles-persistent

# Bonus commands:
# To unseal an object use:
sudo tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
# To remove an object use:
sudo tpm2_evictcontrol -c 0x81000000
# The handle 0x81000000 was given by the `tpm2_getcap handles-persistent` command
```

Fourth step: add unseal script: /sbin/getsecret.sh
```bash
#!/bin/sh
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/sbin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
if [ $? -eq 0 ]; then
	exit
fi
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
```
Fifth step: make a backup of the current boot
```bash
sudo cp /boot/initrd.img-$(uname -r) /boot/initrd.img-$(uname -r).orig
```

Sixth step: add tpm hook to initramfs-tools: /etc/initramfs-tools/hooks/tpm2
```bash
#!/bin/sh
PREREQ="lvm"
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

. /usr/share/initramfs-tools/hook-functions

# Begin real processing below this line
 
#copy the files to read the NVRAM and to read the secret  
copy_exec /usr/bin/tpm2_unseal /sbin/
copy_exec /usr/lib/libtss2-tcti-device.so /sbin/
copy_exec /sbin/getsecret.sh /sbin
```

Seventh step: make script and hook executable.
```bash
sudo chmod +x /sbin/getsecret.sh
sudo chmod +x /etc/initramfs-tools/hooks/tpm2
```

Eighth step: modify the /etc/crypttab by adding keyscript.
```bash
sda<x>_crypt UUID=<UUID> none luks,keyscript=/sbin/getsecret.sh
```
*replace the ```<x>``` and ```<UUID>``` with your own values.

Nineth step: update initramfs:
```bash
sudo update-initramfs -u
```

Thats all.