TPM can still require a PIN or password, the main reason for using it is that it can be rate limited by the hardware or not provide access if certain measurements have changed.
It can but no distribution sets this up automatically. It can be done using the systemd-cryptenroll command. The main issue is it’s still missing some things but they are making progress in that direction. See this post from Lennart Poettering:
One of my systems I have kind of got it to work with a setup similar to this:
Enroll with PIN and check pcrs 0+7.
systemd-cryptenroll --tpm2-device=/dev/tpmrm0 \
--tpm2-pcrs=0+7 --tpm2-with-pin=true /dev/nvme0n1p6
Wipe password
systemd-cryptenroll --wipe-slot=password --recovery-key /dev/nvme0n1p6
Test:
/usr/lib/systemd/systemd-cryptsetup attach nvme0n1p6 /dev/nvme0n1p6 - tpm2-device=/dev/tpmrm0
Then you’ll need to build your own initramfs with TPM support. I have only done this on arch and fedora silverblue.
One of the things you’ll find is that secureboot will now be required (disabling it will mean TPM is inaccessible) and you need recovery key.
The other thing is that if there is bootloader update you may find you need the recovery key, otherwise you won’t be able to login easily. It’s also really only worth doing if you’re using a UEFI unified kernel image that is signed.
It’s certainly not mainstream and requires a custom setup that is quite fragile, particularly when moving from one version to the next.
Some other videos that might be interesting:
