Comment by zenoprax
1 hour ago
I just don't understand where the protection comes from if you have automatic password entry. If the thief boots up the server it is just as convenient for them as it is for you.
Your threat model is the same as my use of a laptop: regular LUKS with a password is enough on its own. Add TPM if you want to know that you're entering your password in a secure boot environment (ie. protect against a fake LUKS screen that steals your password).
Because you'll boot up in to a password prompt. So you'd need a password bypass exploit to get in. If you attempt to change the boot device or kernel the TPM won't release the key.