Transparent disk encryption using TPM


I would like to ask if it would be possible to pre-configure, or provide a guide for setting up “automatic” disk encryption, like this:

The use case of this for me is mainly running a small home server (NitroPC) with full disk encryption, that should reboot automatically if a power failure happens. This is not possible if a password needs to be entered to boot. But still, an intruder should not have access to my disk content if they steal my PC.

As I understand it, this is possible by using a TPM for decrypting the disk. The TPM should check that the BIOS was unmodified, that the boot partition is unmodified (similar to what Nitropad boot verification does) and then execute the decryption inside the TPM.

Unfortunately all guides on this are very complicated and it’s still not clear whether these guides are “complete” or have considered all necessary edge cases, overlooked something etc… IMO it would be best if this option was transparently preconfigured, like MS Bitlocker.

Hey @ann000,

generally the NitroPC comes without a TPM, so using this way will not lead to a solution.
You could set up LUKS to decrypt with a Nitrokey (Full-Disk Encryption With cryptsetup/LUKS — Nitrokey Documentation), but this will still require you to provide a PIN during boot-time.

Hi @ann000,

how did you make your NitroPC restart after a power failure?
I can’t find any way to achieve this.