Ikel,

@linux4noobs How to install Fedora on Laptop with FDE via LUKS using TPM. So, It unlocks automatically during boot ?

d3Xt3r,

Just install it normally (selecting the LUKS option). Once installed, use systemd-cryptenroll to register your drive to decrypt using the TPM chip.

See this page for more details: gist.github.com/…/777e8b52c8d88eb87467935769c98a9…

The systemd-cryptenroll man page also has some info that’s worth reading as it’ll give you a bit of insight on how this works.

Ikel,

@d3Xt3r When encrypted consider I wanna do a BIOS and TPM upgrade. What should I do. So, I don't break things.

Important thing the update packages are in the form of .exe.

d3Xt3r, (edited )

There should be no issues doing BIOS/TPM upgrades, only thing that may happen is that you might be prompted to enter your decryption password again.

Potentially, you may need to update the binding again, so running the sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto […] command will do the rebinding.

You won’t be able to update the BIOS using exes, that only works on Windows. To update the BIOS/TPM in Linux, fwupd is the way to go. Usually this should be integrated into the Gnome Software Center, so you should just use that in the first instance to check for and install any updates.

Ikel,

@d3Xt3r Thanks. I just checked LVFS. My device is supported and has BIOS updates via fwupd. TPM I recently updated using exe. It won't be a problem I guess. Cuz TPM aren't updated often.

The password for both drives are just one ?

d3Xt3r,

You can have multiple passwords for each drive but that complicates things, so it’s best to just use the same password for both the drives. (each time you enroll a drive with systemd-cryptenroll, it’ll prompt for a password).

Ikel,

@d3Xt3r I am ready to use different passwords for different drives. It is just entering the password twice when rebinding right?

Are there things complicated than that ?

d3Xt3r,

I haven’t used multiple passwords so can’t say for sure, but it should still work the same, in theory.

Ikel,

I want to Fully Encrypt. Including /boot. Does LUKS do it or I need to do it separately ?

The Gist says it won't unlock automatically for Kernel updates. Does it mean the linux kernel ?

d3Xt3r,

I’d you want to encrypt /boot as well, follow this guide: sysguides.com/install-fedora-37-with-luks-full-di…

Yes, the kernel refers to the Linux kernel.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • linux4noobs@programming.dev
  • DreamBathrooms
  • everett
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • rosin
  • Durango
  • ethstaker
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • ngwrru68w68
  • osvaldo12
  • JUstTest
  • tacticalgear
  • cubers
  • cisconetworking
  • anitta
  • provamag3
  • modclub
  • mdbf
  • GTA5RPClips
  • tester
  • megavids
  • normalnudes
  • Leos
  • lostlight
  • All magazines
    •