During install of F43 I checked the box to encrypt my mass storage device (NVME) . Now during every boot it always asks for the passphrase. Which is an annoyance I could live with but the bluetooth keyboard is not connected at this stage so I cannot enter the Passphrase.
Can I disable the passphrase?
Can I somehow have F43 or grub? store the Passphrase?
I’m not having any real secrets here but I was unaware that disk enctryption on F43 works that way and not like something like bitlocker.
I have never used BitLocker, but I will assume that it uses TPM to store the password (so you don’t need to type it each time you boot your device).
It’s possible to “disable the passphrase” (remove disk encryption) and also store the passphrase securely in TPM.
Although it is technically possible to remove LUKS encryption from a disk using cryptsetup, this is a dangerous operation. It may be easier to simply reinstall without LUKS encryption.
If you want to keep your disk encrypted but don’t want to have to type your passphrase all the time, then you can use systemd-cryptenroll.
Please see: Trusted Platform Module - ArchWiki
Thanks
I was able to set the key for one of the two nvme in tpm but now the other asks for a password.
I installed F43 by selecting both nvme devices in my machine:
nvme1n1 259:0 0 223.6G 0 disk
└─nvme1n1p1 259:1 0 223.6G 0 part
└─luks-8fcac3d1-b8a2-4cb7-94d6-db2960a6e4d4
252:0 0 223.6G 0 crypt
nvme0n1 259:2 0 465.8G 0 disk
├─nvme0n1p1 259:3 0 600M 0 part /boot/efi
├─nvme0n1p2 259:4 0 2G 0 part /boot
└─nvme0n1p3 259:5 0 463.2G 0 part
└─luks-4e8e8b6b-8559-46ed-bf3e-f7273c7d82d8
252:1 0 463.2G 0 crypt /home
with the following I now added the other
sudo systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto
and reboot. that worked. So the installation of F43 is not finilized properly when
The keys are not enrolled in the tpm automatically. For the spanned set listed above I had to do:
sudo systemd-cryptenroll /dev/nvme1n1p1 --tpm2-device=auto
# and
sudo systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto
Both times entering the passphrase. Now I can reboot without being prompted for the passphrase on either device.
Is this a fluke or by design I wonder.
Additionally… If you are sharing your disk (or have another disk) with Windows installed and using bitlocker to secure that partition, it sure might be nice if the mount was ‘smart’ enough to query the TPM for the bitlocker key! Then you could ACTUALLY access that partition. Currently it stupidly just prompts for that key. Apparently no one has actually attempted to type in one of them there bitlocker keys - NOBODY wants to do that!!
No Bitlocker, dual boot. Just an empty system with all hardware wiped clean.