The correct reference isn't always the last one

[evaporatingtime]

I'm not entirely sure how it came about, but on the last system I deployed this to there were 2 handles returned by tpm2_getcap handles-persistent that were left over from some previous configuration which both had higher numbers than the one that was created immediately before by the tpm2PolicyConfig script.

I.e. I had handles along the line of 0x82000001, 0x82000002 from a previous configuration; but tpm2PolicyConfig was creating handles along the lines of 0x80000001, 0x800000002, etc.

This meant that the following line was not getting the correct handle, since it assumes that we need the last line of output, and hence the passphrase-from-tpm script was filled in incorrectly.
REFERENCE=$(tpm2_getcap handles-persistent | grep -Po "[0][x][A-Za-z0-9]+" | tail -1)

I think it would be better to grab the correct handle from the output of tpm2_create (I think... Sorry, I don't have access to this PC as I write this. It could be one of the other commands, but it's definitely being printed) to avoid this scenario.

[anedward01]

This should be possible, and the method you mention looks like it will work. I'll see about integrating pulling the correct handle straight from tpm2_create