Comment by hfjtnrkdkf
13 hours ago
assuming there are no bugs in linux and you enable full memory encryption in BIOS, it protects you in the same way the FBI cant get into a locked iphone they physically posess
but linux is not as secure as an iphone, and linux users typically dont know how to set this up, so in practice you are right, it doesnt protect you
Yes, but not by automating the password process. You could probably do some sort of remote authentication with a custom iniramfs that will "phone home" for a key but that initramfs, even if signed and protected from tampering, is still exposing the authentication end point.
The attacker would just need to spoof the request to gain the key.
My threat model is a junkie breaks in to my house and flips my server on facebook marketplace. Then the buyer curiously pokes through my hard drives. Of course if protecting against government agencies is the threat model then TPM alone isn't enough.
For me, a zero friction way to have decent security is worlds better than the normal state where homeservers are not encrypted at all.
I just don't understand where the protection comes from if you have automatic password entry. If the thief boots up the server it is just as convenient for them as it is for you.
Your threat model is the same as my use of a laptop: regular LUKS with a password is enough on its own. Add TPM if you want to know that your entering your password in a secure boot environment (ie. protect against a fake LUKS screen that steals your password)