This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

▲

epistasis 4 days ago | parent | next [-]

I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...

However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...

▲

xrisk 4 days ago | parent [-]

Yeah I was looking at that page. Found this btw: https://github.com/darkrain42/tailscale-initramfs

	▲	epistasis 4 days ago \| parent [-]
		Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember. It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...

▲

conradev 4 days ago | parent | prev [-]

and I imagine that the initramfs is not encrypted and trivially modifiable?

Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.

▲

klooney 4 days ago | parent [-]

https://mastodon.social/@pid_eins/113404099228886304

You auth the initrd too

	▲	conradev 4 days ago \| parent [-]
		This is super cool, thanks for the link! I’m glad they were able to leverage the TPM