Good question Mike, and yes, I am still “into the drive encryption thing” – I’m now EVP and CTO for WinMagic. No. I don’t consider TPM autoboot much better, attacks within the OS for example can be leveraged even if the machine is presenting a Windows password screen – https://blog.scrt.ch/2015/11/16/bypassing-tpm-based-bitlocker/ These are discovered frequently. Then you have attacks which simply scrape the key out of memory – http://support.passware.com/hc/en-us/articles/115002145727-How-to-decrypt-Full-Disk-Encryption So, anything which leaves a key on the machine to me, is really suspect.
A shameless plug – for WinMagic, the machine can get the key in the pre-boot state from a network service, so in an office environment etc, there’s no need for pre-boot auth. Take the machine out of the office however and it’s totally locked. No local key stored at all. That to me is a good compromise with clearly-defined security parameters.
