(keith.github.io)

507 points ingve | 3 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source

Show context

pfexec ◴[18 Sep 25 21:37 UTC] No.45295315[source]▶

Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

replies(7): >>45295330 #>>45295407 #>>45295507 #>>45295760 #>>45295936 #>>45299627 #>>45311400 #

xrisk ◴[18 Sep 25 21:56 UTC] No.45295507[source]▶

>>45295315 #

This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

replies(2): >>45295907 #>>45296423 #

1. epistasis ◴[18 Sep 25 22:41 UTC] No.45295907[source]▶

>>45295507 #

I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...

However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...

replies(1): >>45296075 #

2. xrisk ◴[18 Sep 25 23:03 UTC] No.45296075[source]▶

>>45295907 (TP) #

Yeah I was looking at that page. Found this btw: https://github.com/darkrain42/tailscale-initramfs

replies(1): >>45296219 #

3. epistasis ◴[18 Sep 25 23:22 UTC] No.45296219[source]▶

>>45296075 #

Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember.

It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...

↑

Apple: SSH and FileVault