I have MX Linux setup with LUKS/btrfs and it asks password on boot, I put my key in TPM and modified /etc/crypttab to retrieve it, at least I don’t have to enter it at any boot, but yeah it decrypt automatically, like Windows Bitlocker in fact, it still asks my user password login, but at boot you can break grub and have a root shell it you know how.

Other way is to put the luks key on a USB drive, when you leave home with your computer shutdown, take the USB key with you and that’s it.

The data on disk doesn’t get decrypted at any time. Even if they boot it, they would still need to log in somehow.

There are attacks through DMA or extracting the decryption key from RAM, but those are not going to happen by a casual laptop thief.

BTW, it depends if you have FDE (Full disk Ecryption) or only your /home partition. Having FDE you have no choice to enter a password at boot (initramfs) to decrypt / and putting it in TPM2 may have unsecure problem.

If you only have your /home partition encrypted, then you can use one password to decrypt it and autologin.

The TPM releases the key to the OS at boot time. Without that, there would be no way for the OS to load (assuming the root FS is encrypted).

The key is bound to PCRs in the TPM, which control under what conditions the key can be released. For example, it can be tied to secure boot, bios settings, etc.

I’m assuming the two passwords are the LUKS one and then your login, which you can remove by just configuring your login manager to do auto-login (no attacker will be able to access your data anyway if it’s encrypted, logged in or not).

on my laptop I have tpm to decrypt my drive and I’ve also enabled secure boot and set a bios password, so if someone steals my laptop it’s basically bricked,

secure boots there to prevent any potential tampering if someone were to take the drive out then put it back in

I feel this setup is secure enough for me, if you’ve got some nation state after you, or some guy with a wrench theres probably nothing you can do

The idea behind TPM-locked boot is that you can boot into your system unattended, but it stops booting into any other system. Typically no password is needed, but you can also assign an additional (non-user) password if you want.

This is nice if you trust your system to be basically secure. Nothing else can access its filesystems, so no external tool can be used to break into it. Rescue disks can not access any data without knowing a special rescue key – so make sure to set one up! A nice side effiect is that the key is only available while setting up disks in the initrd and totally inaccessible at any other time. That makes it very hard to extract the password once the system is running.

You can encrypt the home directories of users using other services like systemd-homed. That will prevent anyone from accessing any data in the user’s directory while that user is logged out. Homed will basically use your password to unlock your disk and if that works, then the password is accepted. So you do not need that user to be listed in the traditional /etc/passwd file, which is useful as you can just copy the users homedir image file onto another system to move a user account over.