diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml
index 6226cd0..ceb5f5c 100644
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -8,7 +8,7 @@
   block:
     - name: Set LUKS configuration facts
       vars:
-        luks_tpm2_pcrs: >-
+        _raw_pcrs: >-
           {{
             (
               system_cfg.luks.tpm2.pcrs
@@ -20,6 +20,12 @@
             | regex_replace('\\s+', '')
             | regex_replace('^\\+|\\+$', '')
           }}
+        luks_tpm2_pcrs: >-
+          {{
+            _raw_pcrs
+            if _raw_pcrs | length > 0
+            else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '')
+          }}
       ansible.builtin.set_fact:
         configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
         configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"