LUKS + TPM2 + PIN I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2: `systemd-cryptenroll` and `clevis`. Both of them seem to release the encryption key after successfully ch...--prophetes.ai

LUKS + TPM2 + PIN I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2: `systemd-cryptenroll` and `clevis`. Both of them seem to release the encryption key after successfully checking the PCRs the key was sealed against. But I don't like the idea of the volume being decrypted without user interaction. I'd rather have a solution like it is offered by BitLocker for Windows: Either TPM and an additional PIN or a recovery key. Even though I searched the web quite exhaustively I was not able to find any hints in this direction. Is anybody aware of a solution? EDIT: There is a `--recovery-key` option for `systemd-cryptenroll`. I'm only concerned with the question how to get an additional PIN requirement when using the TPM.

### 2022-05-21 - systemd v251

Support for TPM2 + PIN has been merged in systemd-cryptenroll and is available as part of release v251.

> Changes in disk encryption:
>
> * systemd-cryptenroll can now control whether to require the user to enter a PIN when using TPM-based unlocking of a volume via the new \--tpm2-with-pin= option.
>
> Option tpm2-pin= can be used in /etc/crypttab.
>
>

Source