What TPM does for automatic unlock when combined with secure boot is to record certain steps of the OS boot and check various file hashes, if they’re unchanged then it releases the decryption key. This doesn’t authenticate the user but it verifies disk integrity (making sure your OS boots normally without injected malware), so your login prompt security can’t easily be bypassed*
* this does not prevent hardware based attacks like malicious RAM sticks or DMA attacks if the firmware isn’t patched
Then you could also set up separate home folder encryption and tie unlock to entering your password at login, or for various types of automated logins you could use the TPM again, like through checking for presence of some device you carry (like a smartwatch, etc), or even use a physical security key with one touch login (preventing remote attacks)
What TPM does for automatic unlock when combined with secure boot is to record certain steps of the OS boot and check various file hashes, if they’re unchanged then it releases the decryption key. This doesn’t authenticate the user but it verifies disk integrity (making sure your OS boots normally without injected malware), so your login prompt security can’t easily be bypassed*
* this does not prevent hardware based attacks like malicious RAM sticks or DMA attacks if the firmware isn’t patched
Then you could also set up separate home folder encryption and tie unlock to entering your password at login, or for various types of automated logins you could use the TPM again, like through checking for presence of some device you carry (like a smartwatch, etc), or even use a physical security key with one touch login (preventing remote attacks)