I have setup my fedora to use LUKS encryoted partitions. But entering two passwords gets quite tiring, as I shutdown my laptop quite often to get the benefit of LUKS (I am assuming nothing is encrypted when in suspend, please correctme if I am wrong)
I am thinking about setting up TPM autodecrypt. However, I was wondering does the decryption happen on boot or after I login?
If it happens on boot, then it seems like the benefit is pretty limited compare to a unencrypted drive. Since the attacker can simply boot my laptop and get the unecrypted drive.
Am I missing something here? I was wondering is there a way for me to enter my password once and unlock everything, from disk to gnome keyring?
BTW, it depends if you have FDE (Full disk Ecryption) or only your /home partition. Having FDE you have no choice to enter a password at boot (initramfs) to decrypt / and putting it in TPM2 may have unsecure problem.
If you only have your /home partition encrypted, then you can use one password to decrypt it and autologin.