Hello,

I’ve an HP EliteBook 840 G5 that I’ve been using up until now with Windows 10. I want to replace it with Debian 12 however since this is a laptop I would like to have my disk fully encrypted as well as the boot stage (initramfs etc).

My threat model: make sure if someone stoles the laptop, powered off, they won’t be able to access my data. I would also like to avoid evil maid attacks and make sure I’m not booting into some modified kernel / system with spyware or that will leak my TPM keys.

I’ve found some information online but I’m unsure of how secure those setups are and/or if it isn’t even possible to have the same level of security that Windows provides.

Here are a few of my questions:

• Anyone around here that has a similar HP laptop and did this?
• What about enrolling secure boot keys on the UEFI? From what I read simply using the typical Linux shim makes things more secure but it doesn’t fix the problem. Enrolling keys seems to break some motherboards
• Even if I use --tpm2-pcrs=1,4,5,7,9 how secure is that, should I add more?
• What is the impact of this in system upgrades? How do I deal with those?
• If I want to proceed with this what I should know / what typically fails or can be problematic / security issue?

Some of the information I found:

• https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
• https://saligrama.io/blog/post/upgrading-personal-security-evil-maid/
• https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

Thank you.