computer mausMar 14

edit: thanks for all your answers, i think i have an idea how to approach this now. please don't reply any further, unless you got something completely new to add :)

is there a smart way to do ssh luks unlocking over wireguard in the initrd? the issue is that the private wireguard key must be stored unencrypted in the initrd, so that's really not a nice thing. otoh the private ssh key is already stored there (it's a separate one only used for this and not the ssh key that is used for openssh when the machine is up).

boosts welcome! @homelab #homelab

Show threadFelixMar 14
@kate @homelab I think there might not be... at least when I last thought about it, I saw no safe way to do this. Back then I went with a passwordless reboot solution but this is annoying after power outages, so nowadays, I'd probably go for TPM & SecureBoot for unattended full disk encryption honestly
Show threadcomputer mausMar 14
@felixs @homelab that's what i fear as well. i haven't looked into secure boot yet though. the situation is already not great anyway, because the private ssh key for the initrd ssh server is easy to extract, so it would be easy to just have another machine impersonate the real machine and steal the luks password i pass via ssh.
Show threadjon rMar 14
@kate
I suggest to have a look into clevis/tang.
@felixs @homelab
Show threadcomputer maus
@yala @felixs @homelab i think that is too complicated for my setup (at least for now)
Mar 14 at 9:37pmWeb
Show threadSheogorathMar 14

@kate @yala @felixs tang/clevis seems too complicated, but you are comfortable with custom hacking together a wireguard setup in initrd? Certainly a choice!

I really hope you succeed! But also recommend to actually check what you try to defend against and if it's worth the potential downtime when things don't work out as expected. 🤞

Show threadcomputer mausMar 14
@sheogorath @yala @felixs well i am, i already do so. also with nixos this is not so hard and the code serves as a really good documentation
Show threadjon rMar 14
@sheogorath
We're doing clevis/tang via wireguard in initrd.
@kate @felixs