PSA: If you have a LUKS encrypted system and a TPM2 chip, you can put it to good use

One of the main things that put people off having a LUKS encrypted system is having to input the LUKS password on every boot, even if it brings a lot more safety to your system to do so. So, what if I told you that there's a way to have your encryption cake and eat it too? TPM2 is the answer.

Using it you can have your system be automatically decrypted at boot with no need for inputting your password without losing on the security, as it detects if there are any significant changes to your system in order to block it (although I'm not technical enough to explain it properly).

There's a relatively easy way to do so in other distros that use mkinitcpio for building the system's initramfs (I even have an Arch Linux install guide using it), but fedora uses dracut for the same task, and I couldn't find a way to do so with it. Until now.

Thanks to u/ditto for pointing me out to the mailing list page with the steps provided here and to Ulf Volmer in said mailing list for the step-by-step guide on how to do it.

So, are you ready?

---

First of all, you need to check if you actually have a TPM2 chip, just to make sure. To do that, run cat /sys/class/tpm/tpm0/device/description or cat /sys/class/tpm/tpm0/tpm_version_major. You'll get a result showing your TPM2 chip if you have one working. So, if you do, time to use it.

After that, run lsblk to make sure which partition houses your LUKS container.

• Run systemd-cryptenroll --tpm2-device=auto /dev/$DEVICE, where $DEVICE is your partition where your LUKS encryption rests (in my case /dev/sda3).

• After that, edit /etc/crypttab, making it look something like this:

luks-$UUID UUID=$UUID - tpm2-device=auto,discard

I'll reference it as (part1) (part2) (part3) (part4) for an easier understanding of the file's contents

The changes you'll do in this case is changing part3 to - and adding tpm2-device=auto to part4.

After that, make dracut aware of the tpm2 by creating the /etc/dracut.conf.d/tss2.conf file, with its contents being the following:

install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "

After that, recreate the initramfs by running sudo dracut -f and reboot your system. If everything went correctly, your system should automatically boot without the need to input your LUKS password.