diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f7ba0c1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,25 @@
+# Fabian's Dotfiles
+
+## System Setup
+
+🐈‍⬛
+
+### Secure Boot & TPM Disk Unlock
+
+See [lanzaboote documentation](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) for more information on how to enable secure boot.
+
+1. Create secure boot keys before switching to the system configuration: `sudo sbctl create-keys`
+1. After applying the system configuration, verify signatures: `sudo sbctl verify`
+   - `/boot/EFI/nixos/kernel*.efi` is not supposed to be signed.
+1. Activate enrollment of new Secure Boot key in the UEFI: `systemctl reboot --firmware-setup`
+   - Depends on vendor, see [lanzaboote docs](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#part-2-enabling-secure-boot)
+1. Boot linux, run `sudo sbctl enroll-keys --microsoft`
+   - Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
+1. Activate secure boot: `systemctl reboot --firmware-setup`
+1. Boot your system and verify that a secure boot worked with: `bootctl status`
+1. After enabling secure boot, enroll the boot PCR measurement based LUKS unlock: `dotfiles-enroll-tpm`
+   - [See source for details](./packages/dotfiles-enroll-tpm).
+
+- With `nixos-rebuild {switch|boot}`, new EFI files will be automatically signed.
+- In case your firmware or boot process changes, you need to insert the luks password manually.
+  - After a successful boot, you can re-enroll with `dotfiles-enroll-tpm`.
diff --git a/flake.nix b/flake.nix
index 693569f..45b6347 100644
--- a/flake.nix
+++ b/flake.nix
@@ -107,7 +107,9 @@
                 ) self.nixosConfigurations;
               };
 
-          devShells.default = pkgs.mkShell {
+          packages.dotfiles-enroll-tpm = pkgs.callPackage ./packages/dotfiles-enroll-tpm { inherit self; };
+
+          devShells.default = pkgs.mkShellNoCC {
             name = "nix-config-default-shell";
             packages = lib.attrValues {
               inherit (pkgs)
@@ -119,6 +121,7 @@
                 ssh-to-age
                 nixd
                 ;
+              inherit (self'.packages) dotfiles-enroll-tpm;
             };
             shellHook = ''
               ${config.pre-commit.installationScript}
diff --git a/packages/dotfiles-enroll-tpm/default.nix b/packages/dotfiles-enroll-tpm/default.nix
new file mode 100644
index 0000000..ed7985a
--- /dev/null
+++ b/packages/dotfiles-enroll-tpm/default.nix
@@ -0,0 +1,27 @@
+{
+  writeShellApplication,
+  systemd,
+  nix,
+  self,
+}:
+writeShellApplication {
+  name = "dotfiles-enroll-tpm";
+  meta.description = ''
+    Enroll TPM PCR registers to unlock luks disk.
+
+    Uses the following registers for measured boot:
+      - PCR 0: Core system firmware executable code
+      - PCR 2: Extended or pluggable executable code
+      - PCR 7: SecureBoot state
+      - PCR 12: Kernel command line, system credentials and system configuration images
+  '';
+  runtimeInputs = [
+    systemd
+    nix
+  ];
+  text = ''
+    LUKS_DEVICE="$(nix eval --raw "${self}#nixosConfigurations.$HOSTNAME.config.disko.devices.mdadm.raid_system.content.device")"
+    echo -en "Determined disko configured LUKS device at $LUKS_DEVICE.\nWould you like to continue? [ENTER]" && read -r
+    /run/wrappers/bin/sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 "$LUKS_DEVICE"
+  '';
+}
diff --git a/setup.md b/setup.md
deleted file mode 100644
index 0c8dc14..0000000
--- a/setup.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Setup
-
-See https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md for instructions on how to enroll lanzaboote secure boot.