Even if it is 'security theater', to store/fetch/use decryption keys in a tpm2 chip would allow users meet full disk encryption requirements and reboot remote machines without having someone go physically type in boot passwords, or relying on other tools
As of now, the only way to make this happen on Ubuntu is clevis. Clevis is Ok but I'd much rather use core programs like systemd-cryptenroll and cryptsetup-initramfs
Even if it is 'security theater', to store/fetch/use decryption keys in a tpm2 chip would allow users meet full disk encryption requirements and reboot remote machines without having someone go physically type in boot passwords, or relying on other tools
As of now, the only way to make this happen on Ubuntu is clevis. Clevis is Ok but I'd much rather use core programs like systemd-cryptenroll and cryptsetup- initramfs