Use TPM 2.0 PCR binding to allow password-less unlock after reboot on Linux

The Problem:

Windows/macOS: Users can reboot and immediately use Windows Hello or Touch ID to unlock. The Master Password is rarely needed.

Linux: Even with "System Authentication" enabled, we are forced to type the full Master Password at least once after every reboot or app restart.

The Proposal:

I would love to see 1Password for Linux implement native TPM 2.0 support to securely store the vault decryption secret, bound to the system's hardware state.

Since modern Linux distributions (like Arch, Fedora, Ubuntu) now have mature TPM support (e.g., via systemd-cryptenroll), the infrastructure is ready.

How it could work:

1.Secret Sealing: 1Password could seal the necessary decryption key into the TPM chip.

2.PCR Binding: Bind this key to specific Platform Configuration Registers (PCRs), such as PCR 7 (Secure Boot state) and PCR 0 (Firmware).

The Result: On boot, if the system hasn't been tampered with (Secure Boot is valid), the TPM releases the key, and 1Password unlocks automatically—or just asks for a fingerprint—without needing the Master Password.

Why this matters:

Parity: It brings the Linux client up to par with the "magic" experience on other platforms.

Security vs. Convenience: It encourages users to set incredibly long, complex Master Passwords because they won't have to type them daily.

I know many power users in the Linux community are already using TPM for disk encryption (LUKS). It would be amazing to see 1Password leverage this same hardware capability.

Does anyone else in the community want this? Please vote or comment if you do!

Thanks