On 5/17/2025 8:43 AM, Rahul Sandhu wrote:
Hi,
You may want to look into TPM2-based disk encryption; during normal
operation it's basically transparent. My servers all have an encrypted
root partition, and I do not need to enter a password to boot it as the
decryption keys are stored in the TPM. Take a look at this page[1] for
information on how to do it with Clevis, however I would recommend the
usage of systemd-cryptenroll(1) instead for systemd systems[2].
I didn't realize that this had progressed so far. With LUKS you could
presumably also set a passphrase in case the PCRs get messed up.
This is basically how most corporate laptops are configured.
--
Rich
