Hacker News new | ask | show | jobs
by xrisk 266 days ago
This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.
2 comments
epistasis 266 days ago
I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...

However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...

link
xrisk 266 days ago
Yeah I was looking at that page. Found this btw: https://github.com/darkrain42/tailscale-initramfs
link
epistasis 266 days ago
Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember.

It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...

link
conradev 266 days ago
and I imagine that the initramfs is not encrypted and trivially modifiable?

Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.

link
klooney 266 days ago
https://mastodon.social/@pid_eins/113404099228886304

You auth the initrd too

link
conradev 266 days ago
This is super cool, thanks for the link! I’m glad they were able to leverage the TPM
link