1·
4 months agoYeah, no kidding. The same systemd that enables the very things OP is trying to enable…
systemdboot + sbctl + systemd-cryptenroll and voila. TPM backed disk encryption with a PIN or FIDO2 token.
AFAIK this should be doable in Ubuntu, it just requires some command-line-fu.
Last I heard the Fedora installer was aiming to better support this type of thing - not so sure about Ubuntu.
Sure, but IIRC, they’d still need my PIN (for TPM+PIN through cryptenroll). I don’t think it’s possible to do TPM backed encryption without a PIN on Linux.
EDIT: Oh wait, you can… Why anyone would is beyond me though.