Yes once bitlocker is set up in the windows partition you’ll continue unlocking your computer as usual, i.e only typing the user’s password
How can I implement this ?
It’s all in the guide linked. Check if Secure Boot is on, use this command to check if you have a TPM2 chip (you likely do):
dmesg | grep TPM
and/or
cat /sys/class/tpm/tpm0/tpm_version_major
…to check if the version of your TPM chip is 2.
Then run the command sudo systemd-cryptenroll /dev/$DISK --tpm2-device=auto
…where $DISK is the disk you have your LUKS encryption on (in my case sda3, since I have a SATA SSD, if you have an NVME one it’ll be something like nvme0n1)
NOTE: if you want a more secure middle ground you can also use the command above with --tpm2-with-pin=yes and it’ll ask you to add a PIN. That way you’ll still need to type something twice to get to your machine, but at least the first one won’t be a long and complicated password.
After that, edit /etc/crypttab, appending tpm2-device=auto to the end, making it look something like this:
luks-$UUID UUID=$UUID - tpm2-device=auto,discard
1 Like
Correct me if I’m wrong but I think I have to encrypt my disk with LUKS first, because right now my disk is not encrypted
1 Like