Currently during boot I have to type in the pass phrase in order to continue. Wondering if it is possible to use the fingerprint reader instead.
I’m running an up to date Archlinux using the LTS kernel (6.12.18-1-lts) and BIOS version 03.05 on a AMD Ryzen 7 7840HS.
I also used efibootmgr if that is a factor.
Doesn’t look like its possible. The best you can do is either this: Reddit - Heart of the internet
Or make the encryption key be a YubiKey (or similar) that can be unlocked with a fingerprint. Unless you find a way to have the key be based on the TPM and unlock that with the fingerprint, it’s porperly not possible at all, probably because nobody deems it to be secure enough to bother implementing. Just like you have to unlock any smartphone (and probably macOS and BitLocker encrypted Windows device) with your password/pin too before you can use your fingerprint.
MacOS also requires password first time. Windows however - I believe that it actually does not in its default configuration of bitlocker (although I would need to link a microsoft account to test because thats a requirement for windows hello for some reason, and i dont want to do that)
How Windows does it is it gets the TPM to decrypt the partition with no interaction (its default config would either be to check secure boot state or the hashes of efi executables loaded that boot, as well as their order, and only if those are good it will unlock) and then just do the regular system authentication (so by the time you are prompted for credentials, everything is already decrypted - the security is reliant on it being difficult to inject code into the boot process and being hopefully unable to bypass the login screen). I believe you can set up something similar on Linux with LUKS (the generic term for such a setup is “measured boot” iirc), but its more involved.
Of course, this doesn’t provide as high a security guarantee as a strong password, but its significantly more user-friendly once set up (and still provides some level of security).
Basically, you cant have the fingerprint reader decrypt the volume, but you can have the TPM do it and then use the linux authentication stack with a fingerprint reader for login.