micchickenburger
commented
4 years ago Raspberry Pi 4 Boot Process: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/bootflow_2711.md
Raspberry Pi 4 EEPROM Details: https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md
dm-crypt/LUKS: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
Zymkey's Approach: https://community.zymbit.com/t/encrypting-your-root-file-system-on-raspberry-pi-using-luks-dm-crypt/150
The Raspberry Pi 4 should be able to support full disk encryption without severe performance degradation. FDE ensures confidentiality of system data at rest and addresses the threat of theft of its internal SD card or USB attached storage devices (or of the entire device itself.)
As a starting point: https://www.kali.org/docs/arm/raspberry-pi-with-luks-disk-encryption/
This issue is not dependent on #6 but would benefit from it since the decryption key could be stored in TPM, allowing the system to boot and operate after restart without interaction.