Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
epistasis 2 hours ago

Glad to see another example of this! Remote unlocking of your personal server's encrypted hard drive is PITA.

Other options that I've investigated that involve having a second server:

* A second server with Tang, and Clevis in the initramfs OS

* Keylime

Putting tailscale in the initramfs, and then updating the certs on a frequent enough schedule, seems risky to me. I've already played around with limine enough that I know I don't want to install much in the initramfs...

SchemaLoad an hour ago | parent [-]

TPM is probably the best solution here. The key can be automatically fetched on reboot unless the boot order is changed or the drive is put in another computer.

Realistically for a home server what you are worried about is someone breaking in and selling your drives on Facebook marketplace rather than the FBI raiding your nextcloud server. So TPM automated unlock is perfectly sufficient.

bogwog an hour ago | parent [-]

> Realistically for a home server what you are worried about is someone breaking in and selling your drives on Facebook marketplace

If someone steals the entire machine, the drives will unlock themselves automatically. I don't think it's worth the risk to assume a hypothetical thief is too lazy to check if there's any valuable data on the disks. At the very least, they'll probably check for crypto wallets.

With something like Clevis and Tang, you can set it up so it only auto unlocks while connected to your home network, or do something more complex as needed

michaelt 30 minutes ago | parent | next [-]

The hope with the TPM is that the system boots to a standard login screen, and the thief doesn't know any user's password. Much like someone snatching a laptop that's in 'suspend' mode.

Of course, a thief could try to bypass the login screen by e.g. booting with a different kernel command line, or a different initramfs. If you want to avoid this vulnerability, TPM unlock can be configured as a very fragile house of cards - the tiniest change and it falls down. The jargon for this is "binding to PCRs"

SchemaLoad 44 minutes ago | parent | prev [-]

They will unlock in to a password protected system. Unless the junkie who stole your server has an unpatched debian login bug, this won't be much use to them. If they remove the drive or attempt to boot off a USB, the drive is unreadable.

danparsonson 37 minutes ago | parent [-]

What's the difference when booting off a USB drive? That's been my goto in the past when I forgot my login password; does the TPM only unlock boot devices?