alt Hacker NewsIt is common to remote mount JBOD over initrd drop-bear ssh using sector level strip signature checking, predicted s.m.a.r.t power-cycle-count/hours/serial, proc structure, and an ephemeral key. SElinux is also quite robust in access permission handling.
TPM collocates a physical key on the same host, incurs its own set of trade-offs with failures or physical access in dormancy, and requires trusting yet another vendor supply chain. There are always better options, but since the Intel Management Engine can access TPM... such solutions incur new problems. Privilege escalation through TPM Sniffing is also rather trivial these days.
Have a great day. =3
People stopped using dedicated TPM about 10 years ago exactly because it's trivial to sniff it.
Nowadays you use the fTPM built inside the CPU. And if you don't trust the CPU maker, well, you have bigger problems.