This talk presents a fully open-source framework to achieve full disk encryption (FDE) for TPM-equipped Edge devices, balancing strong security guarantees with practical maintainability at scale. We address key features including automated disk unlocking and recovery, monitoring and remote access. The talk will cover the following:

• A fully verified boot chain, from EFI firmware through the initramfs. We'll cover which system components to verify and common pitfalls to avoid when setting up a secure boot chain.
• A newly-developed, open-source TPM PCR prediction mechanism enabling seamless reboots after kernel or initramfs updates.
• Automated disk encryption key onboarding and recovery using Tang and Clevis.
• Secure remote access and fleet observability while disks remain locked - using WireGuard, SSH, and Prometheus.
• Guidance on how to extend the initramfs (dracut) with your own tooling.
• Discussion of shortfalls and potential security risks

Our aim with this talk is to help you make FDE convenient, recoverable and monitored to make large-scale rollouts possible.