computer mausMar 14

edit: thanks for all your answers, i think i have an idea how to approach this now. please don't reply any further, unless you got something completely new to add :)

is there a smart way to do ssh luks unlocking over wireguard in the initrd? the issue is that the private wireguard key must be stored unencrypted in the initrd, so that's really not a nice thing. otoh the private ssh key is already stored there (it's a separate one only used for this and not the ssh key that is used for openssh when the machine is up).

boosts welcome! @homelab #homelab

Show threadElladan

@kate @homelab it's possible to use TPM to unlock a LUKS volume, so I guess you could create a small volume with the ssh/wg key files etc. that the initrd could unlock first. That would give you a small amount of data at rest / tamper resistance for the keys I guess.

There are also some methods of using a key server with a shared secret to automate boot, if you don't want to manually unlock.

Mar 14 at 8:58pmWeb
Show threadElladanMar 14

@kate @homelab the most obvious answer to the WG problem you stated that came to my mind was just to terminate WG to another machine in this case which can boot on its own, maybe a router, so you don't have to solve it.

You can then use port forwards or whatever to access the boot ssh securely without needing WG in initrd at all.

Show threadcomputer mausMar 14
@elladan @homelab but then that other machine has the private keys stored in unencrypted form, so it just shifts the problem. it's not really an option for me though, i don't want to do this via another machine.
Show threadcomputer mausMar 14
@elladan @homelab secure boot is a whole different thing i want to look at some point, thanks for the idea!