You must log in or register to comment.
deleted by creator
I’m not sure if this is helpful to you or not, because it’s not what you asked. I just don’t mount them on boot though.
I have a script that requires a unique password that decrypts everything that I actually care about. If that hasn’t been run, then the server starts emailing me every 15 minutes until I do.
The server is not setup to reboot unless I manually tell it to or there is a power outage, so logging in to run the script has never really been an issue. At most, I’ve had to SSH in from my phone maybe a handful of times.
TPM stores the encryption key against secure boot. That way, if attacker disables/alters secure boot then TPM won’t unseal the key. I use clevis to decrypt the drive.
Manual password entry. I feel that any other method offers insufficient security.
For my desktops, this means interactive decryption before the OS loads. For my servers, only the data drives are encrypted, and I decrypt them manually over SSH whenever a reboot is needed (kernel updates, etc.).
The boring method, unlock boot drive with password, then the other drives with a keyfile referenced in crypttab. Although now that I think about it, if I were to reboot the machine remotely I wouldn’t be able to do anything on the machine until I have physical access.
In the past I wanted to use auto unlock via TPM, however it seems quite complicated to set up and the Arch wiki advises against it anyway, so I just enter the password during boot.
The one improvement I would like to make here is to have a nicer input (visually) like Fedora but I’m not sure how this is done and how I could replicate that on Arch.
If I understand your query correctly, Fedora uses a Plymouth theme called
bgrtwhich displays the OEM logo and asks for the key in a nicer input. Try setting your Plymouth theme to bgrtThank you! I had no clue what to even search for but your comment pointed me in the right direction.
I spent the past hour setting this up and it almost works, but for some reason when I boot I only see something like “Loading initramfs” and then just a black screen and nothing happens. If I mash the escape key before I reach the black screen then plymouth works and I see the logo and LUKS password prompt.
Check out Archwiki plymouth , in the installation section, make sure that you have silent boot as that’s what usually blocks plymouth from displaying.
Mandos and wireguard inside initramfs.
Wireguard connects to a cloud VPS that acts as the mandos server and then grabs the key from mandos.
All my systems are protected by LUKS aside from /boot which in my case simply holds the wireguard config and what’s required to get the key from mandos. Yes this leaves the wireguard keys exposed but I’m not concerned since in my case they’re only good for this purpose and it’s easy to disable a peer. Plus the VPS has nftables rules that only allow traffic on the wireguard interface to a single port that the mandos server listens on.
I’m using mandos with the server on a raspberry pi. Unfortunately, mandos doesn’t work with my Fedora boxes as far as I know.
Does a PiKVM to enter the password manually count?
I only encrypt the data using LUKS and I have a password stored in Google Secrets Manager. I have a script that runs as a systemd service, goes fetch the password and unlocks the volume. If the drive is somehow stolen, I just revoke the key and the data is unreadable.
I’ve always used Veracrypt since I discovered its existence.
Nice inconspicuous encrypted loop-files you can mount manually when needed (or automount at boot, but that already makes them a lot less safe) and backup to any cloud safely, as without the password they are useless.
