diff --git a/rust/agama-lib/share/examples/storage/encryption.json b/rust/agama-lib/share/examples/storage/encryption.json
new file mode 100644
index 000000000..96053d41e
--- /dev/null
+++ b/rust/agama-lib/share/examples/storage/encryption.json
@@ -0,0 +1,53 @@
+{
+  "storage": {
+    "drives": [
+      {
+        "encryption": {
+          "luks1": {
+            "password": "12345",
+            "cipher": "aes-xts-plain64",
+            "keySize": 512
+          }
+        }
+      },
+      {
+        "partitions": [
+          {
+            "encryption": {
+              "luks2": {
+                "password": "12345",
+                "cipher": "aes-xts-plain64",
+                "keySize": 512,
+                "pbkdFunction": "argon2i",
+                "label": "data"
+              }
+            }
+          },
+          {
+            "encryption": {
+              "pervasiveLuks2": {
+                "password": "12345"
+              }
+            }
+          },
+          {
+            "encryption": {
+              "tpmFde": {
+                "password": "12345"
+              }
+            }
+          },
+          {
+            "encryption": "protected_swap"
+          },
+          {
+            "encryption": "secure_swap"
+          },
+          {
+            "encryption": "random_swap"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/rust/agama-lib/share/profile.schema.json b/rust/agama-lib/share/profile.schema.json
index 674cd50f5..ca63c282c 100644
--- a/rust/agama-lib/share/profile.schema.json
+++ b/rust/agama-lib/share/profile.schema.json
@@ -1180,6 +1180,24 @@
         }
       }
     },
+    "encryptionTPM": {
+      "title": "TPM-Based Full Disk Encrytion",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["tpmFde"],
+      "properties": {
+        "tpmFde": {
+          "type": "object",
+          "additionalProperties": false,
+          "required": ["password"],
+          "properties": {
+            "password": {
+              "$ref": "#/$defs/encryptionPassword"
+            }
+          }
+        }
+      }
+    },
     "encryptionSwap": {
       "title": "Swap encryptions",
       "enum": ["protected_swap", "secure_swap", "random_swap"]
@@ -1189,6 +1207,7 @@
         { "$ref": "#/$defs/encryptionLUKS1" },
         { "$ref": "#/$defs/encryptionLUKS2" },
         { "$ref": "#/$defs/encryptionPervasiveLUKS2" },
+        { "$ref": "#/$defs/encryptionTPM" },
         { "$ref": "#/$defs/encryptionSwap" }
       ]
     },
@@ -1229,6 +1248,11 @@
                   "title": "Btrfs snapshots",
                   "description": "Whether to configrue Btrfs snapshots.",
                   "type": "boolean"
+                },
+                "readOnly": {
+                  "title": "Btrfs read only",
+                  "description": "Whether to configrue Btrfs as read only.",
+                  "type": "boolean"
                 }
               }
             }