I must say I am impressed by their level of professionalism and I did setup my own GPG decrypted (with Yubikey) and TPM decrypted LUKS scripts on Arch.
Very cool. Can you please help add any information to the Arch Wiki about your setup and methods? The information surrounding TPM 2.0 and Secure Boot is lacking, but an area that I hope will be greatly improved an automated.
+1, please share your setup
Sorry for the late reply but check out https://github.com/electrickite/luks-tpm2 and scencrypt in AUR.
That is freaking cool. Thanks!
If I may suggest something if you have TPM version 2 use sha256 everywhere. And you can expand the PCRs list to cover more stuff. I'm using PCRs 0 to 8 (or 9? Can't check now) so any hardware configuration change is apparent during boot.
Another useful package is sbupdate [0] that not only signs kernel for SecureBoot but additionally makes it possible to boot the kernel directly from UEFI firmware bypassing the need for bootloader (be it grub or systemd boot). Once setup it just works!