computer mausMar 14

edit: thanks for all your answers, i think i have an idea how to approach this now. please don't reply any further, unless you got something completely new to add :)

is there a smart way to do ssh luks unlocking over wireguard in the initrd? the issue is that the private wireguard key must be stored unencrypted in the initrd, so that's really not a nice thing. otoh the private ssh key is already stored there (it's a separate one only used for this and not the ssh key that is used for openssh when the machine is up).

boosts welcome! @homelab #homelab

Show threadElladanMar 14

@kate @homelab it's possible to use TPM to unlock a LUKS volume, so I guess you could create a small volume with the ssh/wg key files etc. that the initrd could unlock first. That would give you a small amount of data at rest / tamper resistance for the keys I guess.

There are also some methods of using a key server with a shared secret to automate boot, if you don't want to manually unlock.

Show threadcomputer maus
@elladan @homelab secure boot is a whole different thing i want to look at some point, thanks for the idea!
Mar 14 at 9:16pmWeb