diff --git a/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh b/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
index 85549139..d8a464af 100644
--- a/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
+++ b/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
@@ -65,28 +65,39 @@ fi
 needseal=1
 oldumask=$(umask)
 umask 0077
+for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
+    unsealeddata=$(tpm2_unseal -Q -c $hdl)
+    if [[ $unsealeddata == "CONFLUENT_APIKEY:"* ]]; then
+        confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:}
+    fi
+done
+needseal=0
 while [ -z "$confluent_apikey" ]; do
     /opt/confluent/bin/clortho $nodename $confluent_mgr > /etc/confluent/confluent.apikey
     if grep ^SEALED: /etc/confluent/confluent.apikey > /dev/null; then
-	needseal=0
-        sed -e s/^SEALED:// /etc/confluent/confluent.apikey | clevis-decrypt-tpm2 > /etc/confluent/confluent.apikey.decrypt
-        mv /etc/confluent/confluent.apikey.decrypt /etc/confluent/confluent.apikey
+        # we don't support remote sealed api keys
+        echo > /etc/confluent/confluent.apikey
     fi
     confluent_apikey=$(cat /etc/confluent/confluent.apikey)
     if [ -z "$confluent_apikey" ]; then
-        echo "Unable to acquire node api key, no TPM2 sealed nor fresh token available, retrying..."
+        echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$nodename', retrying..."
         sleep 10
     fi
+    needseal=1
 done
 if [[ $confluent_mgr == *:* ]]; then
     confluent_mgr="[$confluent_mgr]"
 fi
-#if [ $needseal == 1 ]; then
-#    sealed=$(echo $confluent_apikey | clevis-encrypt-tpm2 {})
-#    if [ ! -z "$sealed" ]; then
-#        curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" -d $sealed https://$confluent_mgr/confluent-api/self/saveapikey
-#    fi
-#fi
+if [ $needseal == 1 ]; then
+    tmpdir=$(mktemp -d)
+    cd $tmpdir
+    tpm2_createprimary -G ecc -Q --key-context=prim.ctx
+    (echo -n "CONFLUENT_APIKEY:";cat /etc/confluent/confluent.apikey) | tpm2_create -Q --public=data.pub --private=data.priv -i - -C prim.ctx
+    tpm2_load -Q --parent-context=prim.ctx --public=data.pub --private=data.priv --name=confluent.apikey --key-context=data.ctx
+    tpm2_evictcontrol -Q -c data.ctx
+    cd -
+    rm -rf $tmpdir
+fi
 curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://$confluent_mgr/confluent-api/self/deploycfg > /etc/confluent/confluent.deploycfg
 umask $oldumask
 autoconfigmethod=$(grep ipv4_method /etc/confluent/confluent.deploycfg |awk '{print $2}')
diff --git a/imgutil/suse15/dracut/install b/imgutil/suse15/dracut/install
index d6136148..daefcf41 100644
--- a/imgutil/suse15/dracut/install
+++ b/imgutil/suse15/dracut/install
@@ -1,6 +1,6 @@
 dracut_install /usr/bin/mktemp
 dracut_install /usr/lib64/libtss2-tcti-device.so.*
-dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal
+dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal /usr/bin/tpm2_getcap /usr/bin/tpm2_evictcontrol
 dracut_install curl openssl tar cpio gzip lsmod ethtool xz lsmod ethtool
 dracut_install modprobe touch echo cut wc bash uniq grep ip hostname
 dracut_install awk egrep dirname expr sort