←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 7 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source | bottom
Show context
pfexec ◴[18 Sep 25 21:37 UTC] No.45295315[source]
Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

replies(7): >>45295330 #>>45295407 #>>45295507 #>>45295760 #>>45295936 #>>45299627 #>>45311400 #
1. xrisk ◴[18 Sep 25 21:56 UTC] No.45295507[source]
This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

replies(2): >>45295907 #>>45296423 #
2. epistasis ◴[18 Sep 25 22:41 UTC] No.45295907[source]
I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...

However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...

replies(1): >>45296075 #
3. xrisk ◴[18 Sep 25 23:03 UTC] No.45296075[source]
Yeah I was looking at that page. Found this btw: https://github.com/darkrain42/tailscale-initramfs
replies(1): >>45296219 #
4. epistasis ◴[18 Sep 25 23:22 UTC] No.45296219{3}[source]
Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember.

It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...

5. conradev ◴[18 Sep 25 23:51 UTC] No.45296423[source]
and I imagine that the initramfs is not encrypted and trivially modifiable?

Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.

replies(1): >>45296761 #
6. klooney ◴[19 Sep 25 00:51 UTC] No.45296761[source]
https://mastodon.social/@pid_eins/113404099228886304

You auth the initrd too

replies(1): >>45297153 #
7. conradev ◴[19 Sep 25 01:53 UTC] No.45297153{3}[source]
This is super cool, thanks for the link! I’m glad they were able to leverage the TPM