Using TPM to unlock LUKS/dm-crypt volume
I am trying to understand the risks of configuring passwordless decryption via TPM of a LUKS/dm-crypt system with something like:
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7+8 /dev/disk/by-uuid/XXX-XXX
The idea would be to use systemd-boot and a unified kernel image on a system with full disk encryption of everything but /efi. I want to protect some personal financial records (e.g., tax forms), family photos, unfinished manuscripts, and some un-analyzed de-identified data that I store on my laptop and home server against someone breaking into my house or me being inattentive at a coffee shop. I would like to push the thief to have to resort to the $5 wrench decryption method, at which point, and realistically well before then, I would give them my password and any help they want getting the data and manuscripts published.
My understanding is that if a thief only stole the drives, they would have to break the LUKS/dm-crypt encryption (which I think is accomplished with the wrench). If they stole the whole computer, they could gain access to my data by cracking my regular password, finding an exploit in the services the server runs (e.g., samba, ssh, cockpit, jellyfin), or some sort of cold boot attack (all of which I think involve the wrench).
Is using passwordless decryption reasonable for my use case?
