This is not exactly node red, but the community here is also awesome on related topics.
If you use node red on pi, and have multiple such raspberry pis running on different customer sites. How to encrypt? Because if you encrypt sd card, you still need to enter password on boot? But how can you make it boot without manually enter password? And if you use usb stick for password, then same problem there. An ideal solution would be to have pi encrypt/decrypt itself, but if you take out the sd card everything is encrypted. Not sure if LUKS or a full disk encryption works without prompt to enter password.
I agree with you, the missing TPM makes all solutions relatively easy to intercept.
Googeling a bit about LUKS encryption, you can add a keyfile the unlock the partition.
The you only have the Problem to get the keyfile at runtime to the pi. But this script or node-red-flow musst be stored on the unencrypted partition, so..
Yes. In truth, if you really need to encrypt remote devices, you need to use a device with built-in hardware encryption or one that allows the addition of a Hardware Security Module (HSM).
In fact, most phones and tablets should have hardware encryption and so would be suitable. Though most of them suffer from physical USB vulnerabilities.
Would need to encrypt a password that allows to write telemetry to a remote service. But I think there are TPM add-ons to pi. Even with that, I don't quite understand how and why a tpm would be secure, can't HW-fingerprints and firmware versions be faked? It would still help a lot for sure.