Comment 25 for bug 1980018

@vorlon: initramfs should be measured by PCR9 already, no? (Assuming you're running >=Linux 5.17.)

> tpm2-backed encryption without a signed initramfs is LESS SECURE than passphrase-based encryption

tpm2-backed encryption without a signed initramfs is MORE SECURE than no encryption.

There's a very common use-case here: servers with no (easy) physical access, that are currently left unencrypted. Having encryption on everything is still nice, as you can be less paranoid when it comes to recycling drives.