> What if I want to move my own drive somewhere else?

That's the fun part: you don't. Move the contents somewhere else, format the drive, and move them back. Also another cool feature: if the TPM stops working for some reason you lose all your data! (unless you have offsite backups, which you should anyways). I'm saying this kinda jokingly but this really is a feature of keeping the keys in your TPM, in a lot of situations this is a desired behavior.

Be aware that in the case of Bitlocker specifically Microsoft "conveniently" saves your encryption key on their "cloud", so you don't really need the TPM to decrypt stuff, which of course goes completely against the purpose of storing the key there in the first place. Oh yeah, also: DON'T trust Bitlocker, it's absolutely compromised if you are using an SSD which provides firmware "encryption". [0][1]

[0]: https://www.tomshardware.com/news/crucial-samsung-ssd-encryp...

[1]: https://twitter.com/matthew_d_green/status/10594413723175813...

>Be aware that in the case of Bitlocker specifically Microsoft "conveniently" saves your encryption key on their "cloud", so you don't really need the TPM to decrypt stuff, which of course goes completely against the purpose of storing the key there in the first place.

What MS stores in the cloud is not the encryption key but a recovery key. Obviously a recovery key can also be used to perform the decryption, but it has the benefit that it's generated by the system to be of high entropy, as opposed to a human-chosen password.

If you're against FDE recovery keys I assume you're also against 2FA recovery codes.

I think the concern is that Microsoft does this automatically and keeps a copy. A backup under my control is a completely different matter.

The rest of their post makes it clear that they consider any keys that are not backed by their TPM to be undesirable.

You generally can't backup the TPM key as most TPMs are designed to prevent key material extraction.

However, with LUKS there are two keys. The key slot key that is stored in the TPM is not able to be retrieved (by design) however the disk encryption key is not stored in the TPM, it is stored encrypted in each key slot. As long as you have access to the disk encryption key via an existing key slot you can create additional key slots without TPM protection. Once you have a non-TPM key slot you can transfer the drive anywhere and unlock it using that slot instead of the TPM. Of course this slot will not be protected from brute-forcing by the TPM but if using a sufficiently long passphrase for backup or transfer it should be fine.

TL;DR if you have access to the TPM you can migrate away from it. But if the TPM is your only form of access and you lose access (stolen, wiped, forget password...) then your data is irretrievable.