Hi,
I would like to ask if it would be possible to pre-configure, or provide a guide for setting up “automatic” disk encryption, like this:
- GitHub - fox-it/linux-luks-tpm-boot: A guide for setting up LUKS boot with a key from TPM in Linux
- Automatic LUKS volumes unlocking using a TPM2 chip | Blog | Javier Martinez Canillas
The use case of this for me is mainly running a small home server (NitroPC) with full disk encryption, that should reboot automatically if a power failure happens. This is not possible if a password needs to be entered to boot. But still, an intruder should not have access to my disk content if they steal my PC.
As I understand it, this is possible by using a TPM for decrypting the disk. The TPM should check that the BIOS was unmodified, that the boot partition is unmodified (similar to what Nitropad boot verification does) and then execute the decryption inside the TPM.
Unfortunately all guides on this are very complicated and it’s still not clear whether these guides are “complete” or have considered all necessary edge cases, overlooked something etc… IMO it would be best if this option was transparently preconfigured, like MS Bitlocker.