I re installed leap 16 with full disk encryption, TPM 2 and when it boots i’m not asked to enter any encryption key. It just boots up
Yes, that’s normal. That’s the major feature of TPM2.
Google “FDE with TPM2 on Linux without password at boot time”:
Implementing Full Disk Encryption (FDE) with TPM 2.0 on Linux
allows for automatic, password-less unlocking at boot by sealing the LUKS encryption key to specific Platform Configuration Registers (PCRs) in the TPM chip. This process verifies that the system has not been tampered with (e.g., modified bootloader, kernel, or BIOS settings) before releasing the key.
This setup is most commonly achieved using systemd-cryptenroll on systemd-based distributions (Arch, Fedora, Ubuntu).
Prerequisites
- TPM 2.0: Enabled in UEFI/BIOS settings.
- Unified Extensible Firmware Interface (UEFI): Required, generally with Secure Boot enabled (PCR7).
- LUKS2 Partition: The encryption format should be LUKS2.
- Backup: Ensure you have a recovery key or backup before modifying encryption keys.
1 Like
I want it to ask for my encryption password so how would I change it to that?
Probably one of the fdectl sub-commands; see man fdectl.
But I admit I never tried that.
1 Like