> Imagine a motherboard failure

Hold up, I'm no expert on Secure Boot, but LUKS allows you to have multiple entry keys to the same drive.

This means you can have one key of random gobbledegook which is kept and auto-used by the magic motherboard, and also a passphrase that you can memorize or write down, and either one is totally sufficient on its own.

You don't even need to set them up at the same time, you can start with one and then add the other as an option later.

▲

hparadiz 2 hours ago | parent [-]

Secureboot is something else. It verifies the boot loader at the BIOS. This can be broken by the system itself (like if it's hacked). So it's protecting you against modifications to the boot loader. This is where kernel modules can be injected.

TPM 2.0 is something else. It's typically soldered onto the motherboard as a physical device and the key can be generated and then used to encrypt the disk. The private key can not be extracted. Only the signature and you can ask the TPM to sign a binary blob with the private key while providing you the public key to verify. This protects you against physical access to your device. No one can take your disk and decrypt it.

	▲	Terr_ 39 minutes ago \| parent [-]
		> the key can be generated and then used to encrypt the disk Right, you can't recover or copy that specific key, but you also don't have to for accessing your data, if you set up some redundancy before disaster struck. AFAIK: 99% of your storage is encrypted by a giant fixed unchanging master-key, and that is itself encrypted again with a non-master key/LS or passphrase, which is stored in the remaining "LUKS header". There's room to store multiple copies of the same master-key encrypted with different non-master options. In that model, the TPM is simply providing (in a convoluted way) its own passphrase for one of those co-equal slots, so having one or more alternates prepared is sufficient to protect your drive from motherboard failure.