Hi, I'm pleased to introduce a new feature for openSUSE Tumbleweed: disk auto-unlocking with TPM 2.0. In short, it boots the encrypted root without asking for a passphrase. This feature is already integrated into Agama on ALP and we plan to merge it into yast-installation (*1). For now, if you're interested, just type a few commands to enable it. The hard requirements are LUKS2 partition(s), UEFI with Secure Boot enabled, and, of course, TPM 2.0. LUKS2 support in yast-installation is still experimental and needs a few extra steps. You could also choose to convert the existing LUKS1 partition to a LUKS2 one. The LUKS2 setup is addressed in the following link: https://en.opensuse.org/SDB:Encrypted_root_file_system#Setup_LUKS2_partition... First of all, please update all packages, especially shim and grub2. The key package is fde-tools. Currently, there is a minor issue that the TCTI for native devices may not be installed, and the fix is on the way(*2). So, please install fde-tools along with libtss2-tcti-device0 for the time being. # zypper in fde-tools libtss2-tcti-device0 After installing fde-tools, you can test the TPM 2.0 support with # fdectl tpm-present If there is no error, it's time to seal a new random key for your root partition: # fdectl regenerate-key This command will request the passphrase of the root partition to enroll a new random key, seal the random key with TPM, and then update the grub configuration. Next, reboot your system. If everything is setup correctly, the system will boot without showing the passphrase prompt. One thing to be noted is that after a boot component upgrade, such as shim, grub2, or UEFI firmware, the signature in the sealed key may become invalid, and then you have to run the following command to update the signature. # fdectl tpm-authorize We are still working on a solution to update the signature automatically after shim and grub2 update to reduce such hassles. By default, 'fdectl' only manages the keyslots of the root partition. To extend the keyslot management to other partitions such as swap, please check https://en.opensuse.org/SDB:Encrypted_root_file_system#Additional_steps_for_... A complete document is available here: https://en.opensuse.org/SDB:Encrypted_root_file_system#Unattended_boot_with_... In case you encounter any issue, feel free to file a bug and assign it to bootloader-maintainers@suse.de Cheers, Gary Lin (*1) https://github.com/yast/yast-installation/issues/1088 (*2) https://build.opensuse.org/request/show/1100949