computer mausMar 14

edit: thanks for all your answers, i think i have an idea how to approach this now. please don't reply any further, unless you got something completely new to add :)

is there a smart way to do ssh luks unlocking over wireguard in the initrd? the issue is that the private wireguard key must be stored unencrypted in the initrd, so that's really not a nice thing. otoh the private ssh key is already stored there (it's a separate one only used for this and not the ssh key that is used for openssh when the machine is up).

boosts welcome! @homelab #homelab

Show threadFelixMar 14
@kate @homelab I think there might not be... at least when I last thought about it, I saw no safe way to do this. Back then I went with a passwordless reboot solution but this is annoying after power outages, so nowadays, I'd probably go for TPM & SecureBoot for unattended full disk encryption honestly
Show threadMike   
@felixs @kate @homelab

Tailscale is able to store the node keys in the TPM, so that could be a possibility.

Alternatively you can use something specifically in the initramfs, which is less of an issue if stolen (like you can set up Tor and unlock through an onion address).

As for SSH node keys, `ssh-tpm-agent` can seal those in the TPM too.
Mar 14 at 9:41pmWeb