diff --git a/pkg/lib/lock.go b/pkg/lib/lock.go
index c96ff36..7953c98 100644
--- a/pkg/lib/lock.go
+++ b/pkg/lib/lock.go
@@ -89,7 +89,8 @@ func Luksify(label, version string, tpm bool) (string, error) {
 		// Files are generated by systemd automatically and are extracted from the UKI binary directly
 		// public pem cert -> .pcrpkey section fo the elf file
 		// signatures -> .pcrsig section of the elf file
-		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
+		// leave --tpm2-pcrs= to an empty value so it doesnt bind to a single measure
+		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-public-key-pcrs=11", "--tpm2-pcrs=", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device-key=/run/systemd/tpm2-srk-public-key.tpm2b_public", part}
 		cmd := exec.Command("systemd-cryptenroll", args...)
 		cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
 		cmd.Stdout = os.Stdout