#clevis — Public Fediverse posts

Une méthode pour déchiffrer automatiquement des volumes LUKS : https://jeremy.lecour.fr/blog/2026/03/18/dechiffrement-luks-auto-clevis-tang/ #linux #sysadmin #debian #clevis #tang #luks

Had one of those days of problem chains today. I've rebuilt #homelab internal CA over the past two weeks, and today I wanted to do the simple task of making my #truenas scale server get it's web certificate from it over acme.

Well problem one, truenas doesn't do acme via anything other than dns challenges, which I haven't setup internal dns for yet. So (given my Truenas was still running 24.04) I decided to upgrade it to 24.10 to see if that added any functionality. The upgrade was smooth, but it once again broke my #clevis automatic unlock of my storage pool.

So then I decided to fix my unlock script to cleanly handle updates (and fixed it so that pool passwords could contain " while I was at it, because why not)

Then having fixed that, I decided I should update my blog post (https://i.am.eddmil.es/posts/clevis-tang-truenas-scale/) about it from last year with the new more robust script.

I then realised when I'd updated all my firewall rules last month, I'd broken ssh access from my #forgejo runner to my webserver used for auto deploy website updates, so I had to fix the #puppet that controls the firewall rules.

Finally that was all working, so I updated my truenas to 25.04, in the vain hope that would have better acme support (it doesn't, but at least it validated my clevis script updates, and was the only thing today that just worked as intended)!

Finally I hacked something hideous together using https://github.com/danb35/deploy-freenas/ and acme.sh to get a certificate from my acme server and deploy it (which I could have done at the start and skipped the whole day fixing other problems)

Taking 6 hours to deploy an SSL cert wasn't quite what I had planned for my Easter Sunday, but at least I achieved it in the end. Onwards to see what chaos I can cause tomorrow...

第848回　TangとTPMを用いて、Ubuntu上の暗号化ストレージの自動復号をより強固にする
https://gihyo.jp/admin/serial/01/ubuntu-recipe/0848?utm_source=feed

#gihyo #技術評論社 #gihyo_jp #技術動向 #技術解説 #業界動向 #OS #セキュリティ #Ubuntu #FDE #暗号化 #LUKS #cryptsetup #tang #clevis #NBDE

第846回　TPMを用いて、Ubuntu上の暗号化ストレージの復号を自動的に行う
https://gihyo.jp/admin/serial/01/ubuntu-recipe/0846?utm_source=feed

#gihyo #技術評論社 #gihyo_jp #技術動向 #技術解説 #業界動向 #OS #セキュリティ #Ubuntu #FDE #暗号化 #LUKS #cryptsetup #clevis

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@mirabilos: Whoa, that phrasing is dangerous. Without the word "just" it would have meant the opposite.

Already any experience regarding the usage of #clevis (and #tang) for unlocking full disc encryption over #IPv6?

After a request on the #selfhosted community on Lemmy, I wrote up how I use LUKS, Clevis, and Tang to give me network-bound encryption. This means that I can restart my servers as long as they're on my home network without worrying about having to log in to decrypt the drive, but if someone breaks in and steals my servers and turns them on anywhere else, the data on them is safe. https://i.am.eddmil.es/clevistang/

#selfhosting #encryption #LUKS #clevis #tang

Im letzten Teil der Reihe zum Trusted Platform Module geht es um die Ver- und Entschlüsselung von Datenträgern mit #TPM mit #Clevis und systemd-cryptenroll: https://blog.b1-systems.de/teil-3-datentrager-mit-tpm-und-luks-ver-und-entschlusseln-zusammenfassung-und-fazit #security #Verschlüsselung #LUKS

Mashing Enter to bypass full disk encryption with #TPM, #Clevis, #dracut and #systemd

https://pulsesecurity.co.nz/advisories/tpm-luks-bypass

Automatically decrypt your disk using TPM2

https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

#Fedora #Linux #TPM #Security #InfoSec #Clevis

In diesem Artikel gebe ich euch einen Überblick, was Network Bound Disk Encryption (NBDE) ist und beschreibe einen konkreten Anwendungsfall. Am Ende des Artikels führe ich einige Verweise auf, mit deren Hilfe ihr NBDE bei Interesse selbst implementieren könnt. https://www.my-it-brain.de/wordpress/network-bound-disk-encryption-im-ueberblick/

#network #encryption #luks #clevis #tang