Assuming you'll use LUKS for drive encryption, you can have several key slots that all allow unsealing the key to decrypt the drive.
1. You'll have your master password, for which it asks when you first create it. You can make this absurdly long and consider it'll be used as a last resort (say you've lost everything else and your computer is broken - you only have the drive left).
2. You can then add Windows-style auto-unlock with the TPM. It works with systemd. You can of course choose whichever registers you like, the correct TPM device if you have several.
3. If you're somewhat paranoid, you can have it ask for a PIN. Just add --tpm2-with-pin=true to the above.
4. What if this is an external drive and / or often change your UEFI settings yet still need a quick unlock? Luckily, you have a FIDO2 device, so systemd's got you covered:
--unlock-fido2-device=auto instead of the tpm2
5. You can probably combine TPM + FIDO2, I've never tried it.
edit: it should be noted that even on Windows, there's a recovery key which allows you to unlock bitlocker if the TPM was cleared. It's not clear what the poster above said that the data would be nuked (unless, of course, you only count on the TPM and don't save that key somewhere).
1. You'll have your master password, for which it asks when you first create it. You can make this absurdly long and consider it'll be used as a last resort (say you've lost everything else and your computer is broken - you only have the drive left).
2. You can then add Windows-style auto-unlock with the TPM. It works with systemd. You can of course choose whichever registers you like, the correct TPM device if you have several.
3. If you're somewhat paranoid, you can have it ask for a PIN. Just add --tpm2-with-pin=true to the above.4. What if this is an external drive and / or often change your UEFI settings yet still need a quick unlock? Luckily, you have a FIDO2 device, so systemd's got you covered:
5. You can probably combine TPM + FIDO2, I've never tried it.Check the Arch wiki for more:
https://wiki.archlinux.org/title/Trusted_Platform_Module#Usi...
---
edit: it should be noted that even on Windows, there's a recovery key which allows you to unlock bitlocker if the TPM was cleared. It's not clear what the poster above said that the data would be nuked (unless, of course, you only count on the TPM and don't save that key somewhere).