Ubuntu (on which Pop!_OS is based) only added support for TPM disk encryption in Ubuntu 23.10, so my guess is that you'll have to wait for Pop!_OS 24.04
Note that, as I understand it, using TPM will only protect data on your encrypted disk if it is removed from your computer. If someone steals your entire computer, the disk will be decrypted on boot.
There are plenty of ways to do TPM backed FDE on earlier Ubuntu. They're just not officially supported. Clevis is one of the easier ways.
The disk will be decrypted on boot, but then they'll have to contend with needing a password to log in
Unless recovery (single user) mode is enabled. If it is, you can boot right into a root shell from the bootloader.
Guess I'll wait for COSMIC DE's alpha release then. It should come with Pop!_OS 24.04
Why would you do this when PopOS offers LUKS1/2 disk encryption?
TPM isn't an encryption algorithm. TPM just holds the decryption key (in my case the LUKS decryption key) and hands it to the CPU if all checks pass for convenience. No key is stored in the storage in plaintext. TPM isn't the most secure thing but at least its better than nothing at all.
Sure but you dont need to use TPM at all to use LUKS.
You can store the encryption key on the harddrive, in the LUKS partition layer.
Like thats the default of how LUKS works.
Im really confused why people think TPM needs to be involved in anyway when using LUKS.
Generally speaking you have to go out of your way to correctly cajole TPM v1 or v2 to actually correctly interface with LUKS.
You can but I personally won't trust TPM
This. But not because the tech is sketch. because storing keys in a TPM is a disaster waiting to happen
Did you make a backup of the key before storing it in the TPM? If not, then say goodbye to you data when the TPM fails.
