How does full disk work on the librem 14 compared to Windows Bitlocker?
My understanding of Windows is during boot, the TPM checks to make sure the boot disk has not been modified by checking the to make sure the boot files are signed by Microsoft and if all is good, the encryption keys are released to the OS. Optionally, A PIN number, or smart card can also be used in conjunction with the checks to further enhance the security. If the TPM fails, or if the user forgets their PIN, a recovery code is required to unlock the drive without the TPM.
Since in PureOS, the drive encryption password has to be complex, My guess is the encryption keys are not stored in the TPM but rather used to directly encrypt the drive like the recovery key in windows? If that is the case, what is the purpose of the TPM in the Librem 14?