Mini NASes marry NVMe to Intel's efficient chip

(www.jeffgeerling.com)

440 points ingve | 2 comments | 04 Jul 25 15:21 UTC | HN request time: 0.428s | source

Show context

irusensei ◴[05 Jul 25 13:15 UTC] No.44472599[source]▶

I use a 12600H MS-01 with 5x4tb nvme. Love the SFP+ ports since the DAC cable doesn't need ethernet to SFP adapters. Intel vPro is not perfect but works just fine for remote management access. I also plug a bus powered dual ssd enclosure to it which is used for Minio object storage.

It's a file server (when did we started calling these "NAS"?) with Samba, NFS but also some database stuff. No VMs or dockers. Just a file and database server.

It has full disk encryption with TPM unlocking with my custom keys so it can boot unattended. I'm quote happy with it.

replies(1): >>44472912 #

1. asymmetric ◴[05 Jul 25 14:09 UTC] No.44472912[source]▶

>>44472599 #

Can you expand on the TPM unlocking? Wouldn't this be vulnerable to evil maid attacks?

replies(1): >>44474180 #

2. irusensei ◴[05 Jul 25 17:26 UTC] No.44474180[source]▶

>>44472912 (TP) #

An evil maid is not on my threat level. I'm more worried about a burglar getting into my house and stealing my stuff and my data with it. It's a 1l PC with more than 10TBs of data so it fits in a small bag.

I start with normal full disk encryption and enrolling my secure boot keys into the device (no vendor or MS keys) then I use systemd-cryptenroll to add a TPM2 key slot into the LUKS device. Automatic unlock won't happen if you disable secure boot or try to boot anything other than my signed binaries (since I've opted to not include the Microsoft keys).

systemd-cryptenroll has a bunch of stricter security levels you can chose (PCRs). Have a look at their documentation.

↑