I'm running Tang on a VPS, outside of my homelab. Servers in my homelab set up networking and a dedicated WireGuard tunnel to the VPS from initrd, to be able to talk to Tang, to help unlock the filesystem. The WireGuard tunnel is only allowed from my home ISP's ASN. So if anyone picks up all my equipment from my homelab and walks away with them, they will not be able to boot them up, unless they connect from my ISP's ASN (good luck), or know the passphrase.
Additionally, some of my homelab computers that support TPM also have a TPM pin, so walking away with the disk only, and connecting from my ISP's ASN would still not be enough. This is rather pointless, anyone who walks away with the disk only will likely take the entire computer instead. But it was fun setting it up.
In the not so distant future, I'll update this setup to use Shamir Secret Sharing more, where I'll have three pins: my VPS (via Wireguard), a small computer somewhere else in my apartment, and a third at a neighbour (+ TPM on supporting computers).
It was the night of December 24th, 1996. I turned on the family PC, then running Win95, and found my D:\ drive corrupted. Windows had no tools nor docs how to resurrect a corrupted filesystem. I cried, and two days later installed SuSE on a spare disk.
Some 20 years later, I restored about half of the disk lost in 1996, because Linux had the tools, and the docs, and encouraged me to learn.