Great post, thanks! A lot of complex knowledge broken down into simple pieces. I’m going to try to incorporate the NixOS solution into my config today.

The article-given TLDR is probably one of the worst I’ve seen so,

TLDR: The TPM exposes the password once the kernel boots, and you can coax it into this state by swapping out the encrypted partition with one you know the password to, in the unencrypted config file, in order to get it to that state.