LUKS isn’t the alternative here, it’s the baseline. The question is how to unlock LUKS without manual passphrase entry at boot.
Using TPM2 + Secure Boot (e.g. via systemd-cryptenroll) binds the LUKS key to platform integrity, so it auto-unlocks when the system hasn’t been tampered with. You still keep a recovery passphrase, so you’re not locked out if hardware changes or fails.
As far as I remember, it represents the grandma, the mother and the daughter. Some type of cult to woman and generations. It was associated with Celtics and reprieved by Christian religions, specially because introduces importance to matriarchs.
There is one caveat that worth mentioning, one can try (and probably achieve) disable many the privacy invasive treats in Ubuntu getting to the 0 or 1% that other distros provide out of the box where with Windows there isn’t much workaround.
Honestly, Ubuntu is not even close bad to how many framed here in terms of privacy and can be more secure than Mint that still pushes Cinnamon X11 to users.
Once you get Snap out and telemetry disabled Ubuntu is in the game.
What are you about here? “Just a simple metal plate”, what exactly are you expecting? That is exactly the definition of a motherboard or a dock.
The TGX dock from Lenovo is that inside a box.
I never said TB5 is best than Oculink in performance but is better than a TB4 and reduce the gap to Oculink. Good luck with your imaginary eGPU dock and your Framework 13 with limited TB4 port.
TPM2 + Secure Boot via systemd-cryptenroll is the closest to the “just works” FileVault/Android experience. Keep a recovery passphrase in your password manager. You don’t lose your data if the motherboard dies, you just use the recovery key.
I use this on my daily drive laptop. Only real hiccup is that I still keep the dual boot because fwupd does not cover my laptop BIOS firmware updates but in a Linux tablet this a no issue.
Just use the OCuP4V2 dock, it has the proper mount to secure the GPU and the PSU. No enclosure, your cat either need to leave it alone or you will need to be creative.
If you are into eGPU, and is firm about the 13/14 size don’t get the Framework. This “Pro” version is disappointing, not coming with USB 4.2 or TB5, Dell released last year a Dell Pro 14 with 2 TB5, they will probably release more this year and Lenovo will announce their Thinkpad 2026 lineup tomorrow: https://mactivity.lenovo.com.cn/smb/thinkxp-c.html?pmf_group=in-push&pmf_medium=sc&pmf_source=Z00028090T004
Would like to see a clear purple version of this controller
Same, just finished last week the Return to Monkey Island, after 20+ years played the Cursed Monkey Island.
This series is something special.
In Fedora, and other distros using Systemd, potentially in some distros that don’t use Systemd as well, using tools like dracut or mkinitcpio you can enroll TPM2 to Secure Boot and seal TPM to NOT request LUKS password every boot.
TPM auto-unlock still relies on measured boot integrity (Secure Boot/PCRs), so it protects against offline theft and tampering when the machine is off or storage is removed.
But if an attacker has repeated physical access during boot, the protection depends on whether you’ve added extra factors like a TPM PIN or pre-boot passphrase. Login prompts don’t re-protect the disk once it’s decrypted.
In practice, for my use case (mostly shutdown or battery-dead scenarios), this is an acceptable trade-off for convenience. If your threat model includes targeted physical access during boot, then keeping a pre-boot secret is still the safer choice.