Ok, it doesn’t happen a lot, but having to enter the long LUKS passphase when starting up in tablet mode (or even laptop mode) is annoying. So I started using a PIN to make entry easier.
The trick is that this uses the TPM (trusted platform module, like the secure enclave chip in a phone) to hold a passphrase, and then if Secure Boot passes it’s checks, you get a PIN entry box instead of a passphrase entry box.
You can do this without the PIN, too, but I’m pretty lax on my OS user passwords. Plus the PIN will stop the OS from booting in case you don’t want to drop your curious friend/attacker directly into a OS login prompt.
So if Secure Boot is compromised, or if the Nvme drive is used in another computer, the PIN won’t work, and LUKS will ask for the long passphase. So you’re still getting the full-disk encryption benefit, along with a shortcut for daily use.
So how? This is the command I ran on Fedora 42 Silverblue. I didn’t have to install anything extra, either. Fedora Workstation should be the same. Other distro users might want to do some research.
First check your drive. If you’ve setup LUKS with the OS installer, you’ll see the one slot for your passphrase. Also your Nvme drive will probably have the same name as mine. If this command errors, you’ll have to go find it.
$ sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
0 password
Now you’re ready to setup PIN entry.
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 --tpm2-with-pin=yes /dev/nvme0n1p3
You’ll be asked for your current LUKS passphrase, and then for the new PIN, and to verify the new PIN. The PIN in not limited to numbers, it can be any text. Leaving off --tpm2-with-pin=yes will let you boot straight to the OS login.
After that command, you’ll see the PIN in a new slot:
$ sudo systemd-cryptenroll /dev/nvme0n1p3
Place your finger on the fingerprint reader
SLOT TYPE
0 password
1 tpm2
Reboot, enter your new PIN instead of the passphrase, and enjoy.
More info/background is available at the Arch Wiki. I’m posting this because I read a lot of bad/old info on how to do this. Since we all have the same hardware, I thought I’d post to hopefully help someone out.