Linux

as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as systemd-cryptenroll --tpm2-device=auto /dev/rootdrive, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})

Not sure if this works with drive encryption since it comes before the OS, but could this maybe be done with a YubiKey or something like that?

That way, you can plug it in and not worry about typing the password every time, but then it's also secure if someone takes your PC? As long as you remove the key when it's off of course.

https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS

Thats what you want i think

There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.

It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.

Unfortunately, it was deprecated due to discovered security weaknesses, and I'm not aware of any viable replacement.

I'm not familiar with zfs, but on an encrypred drive I got around this using crypt tab If i recall. you edit a crypt file, ftab points to it or something...sorry it was 7 years ago. But there is a way to make the OS grab the decryption password. You trade convienience for security obviously

I think people are misunderstanding the whole point of drive encryption. It's so that if the drive is stolen or lost, you don't have to worry about it as much. I personally don't see any benefit in doing this if I have to enter a password every time I plug the damn thing in. If you're concerned about somebody stealing your laptop or desktop, the disk-encryption should be the least of your worries.

To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings. I long ago configured it so my USB is auto-unlocked upon being plugged in. Though after several system resets and such whatever I did to do that seems to no longer be visible in the GUI, I know that's how I set it up in the first place.

https://askubuntu.com/questions/1414617/configure-ubuntu-22-04-zfs-for-automatic-luks-unlock-on-boot-via-usb-drive

This is done via storing the unlock key in USB drive and need the USB plugged to auto unlock, see if it helps.

Fedora has a good write up using Clevis, I am not sure how well Ubuntu supports it as they traditionally have been against using the TPM for security reasons. https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

systemd-cryptenroll can do it very quick and easy, it’s literally about two minutes work, but Ubuntu patches out the TPM support.

Ubuntu will soon have TPM-backed full disk encryption as a standard option in the installer. Their implementation is designed to defeat most of the security implications that the naysayers bring up, except the login process is still a potential vulnerability. What you are asking about is not so far fetched as some of the comments would lead you to believe: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu