@vorlon: initramfs should be measured by PCR9 already, no? (Assuming you're running >=Linux 5.17.)
> tpm2-backed encryption without a signed initramfs is LESS SECURE than passphrase-based encryption
tpm2-backed encryption without a signed initramfs is MORE SECURE than no encryption.
There's a very common use-case here: servers with no (easy) physical access, that are currently left unencrypted. Having encryption on everything is still nice, as you can be less paranoid when it comes to recycling drives.
@vorlon: initramfs should be measured by PCR9 already, no? (Assuming you're running >=Linux 5.17.)
> tpm2-backed encryption without a signed initramfs is LESS SECURE than passphrase-based encryption
tpm2-backed encryption without a signed initramfs is MORE SECURE than no encryption.
There's a very common use-case here: servers with no (easy) physical access, that are currently left unencrypted. Having encryption on everything is still nice, as you can be less paranoid when it comes to recycling drives.