An evil maid is not on my threat level. I'm more worried about a burglar getting into my house and stealing my stuff and my data with it. It's a 1l PC with more than 10TBs of data so it fits in a small bag.
I start with normal full disk encryption and enrolling my secure boot keys into the device (no vendor or MS keys) then I use systemd-cryptenroll to add a TPM2 key slot into the LUKS device. Automatic unlock won't happen if you disable secure boot or try to boot anything other than my signed binaries (since I've opted to not include the Microsoft keys).
systemd-cryptenroll has a bunch of stricter security levels you can chose (PCRs). Have a look at their documentation.
alt Hacker News
An evil maid is not on my threat level. I'm more worried about a burglar getting into my house and stealing my stuff and my data with it. It's a 1l PC with more than 10TBs of data so it fits in a small bag.
I start with normal full disk encryption and enrolling my secure boot keys into the device (no vendor or MS keys) then I use systemd-cryptenroll to add a TPM2 key slot into the LUKS device. Automatic unlock won't happen if you disable secure boot or try to boot anything other than my signed binaries (since I've opted to not include the Microsoft keys).
systemd-cryptenroll has a bunch of stricter security levels you can chose (PCRs). Have a look at their documentation.