diff --git a/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md b/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
index 0d9b42f..e12fb65 100644
--- a/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
+++ b/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
@@ -241,7 +241,16 @@ sbctl create-keys
 sbctl enroll-keys -m
 ```
 
-If you also want to enroll hardware security keys, use [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll)
+##### linking TPM and LUKS key
+
+Without this step, the computer is still vulnerable to evild maid attacks and a software keylogger could be installed by disabling the secure boot (clear CMOS for example). To make sure the encrypted device is linked to the TPM, we need to run the following command:
+
+```bash
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/vda2 
+```
+
+[systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll) also support hardware security keys like FIDO2 tokens, in this case you can refer to the archwiki for the command syntax.  
+systemd-boot is also the recommended option instead of using grub when linking the TPM and LUKS key, you can then only have a PIN and also be protected in more scenarios.
 
 #### 2.2.5) opional packages