Re: Whole-disk encryption is silly anyway
You haven't googled it, then.
pmset -a hibernatemode 25
pmset -a destroyfvkeyonstandby 1
Thanks for that, hadn't gotten round to look at that last loophole but you saved me time by putting me on the right path (and a Godawful amount of Googling because there's a bit more to it due to powernap settings and other challenges but I think I've caught all of it now :) ).
And no, I won't use a Yubikey. I prefer adding OTP capability because they're not dependent on having any physical to the hardware..