#luks — Public Fediverse posts

Is it possible for the OS to proceed after a failed LUKS decryption? #encryption #luks

https://askubuntu.com/q/1566775/612

Just to be absolutely clear: #LUKS with TPM unlocking is equally vulnerable to various attacks. You should definitely use TPM+PIN with LUKS as well. See systemd-cryptenroll --tpm2-with-pin=yes

https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

When two Hetzner servers died at the same time

On May 12, 2026, two of my Arch Linux + LUKS servers at Hetzner became unreachable at the same moment. Both had been running for 4+ months without issue. Both had received the same pacman -Syyu the day before, but had stayed on the old kernel until the morning the websites stopped responding. I rebooted — SSH never came back. nmap -Pn -p 22 showed filtered from anywhere. No ping. No banner. The Hetzner Robot panel insisted the hardware was fine.

Several hours went into hypotheses that turned out to be wrong:

• The encryptssh initcpio hook referencing a /usr/lib/initcpio/udev/11-dm-initramfs.rules file that no longer exists. Real bug, no boot impact — the initramfs rebuilds anyway.
• PermitRootLogin no in sshd_config. Real misconfiguration, fixed it, didn’t help. A refusing sshd shows closed, not filtered.
• Predictable interface-naming drift after the systemd 260 upgrade. Patched the .network config to match by MAC. Useful hardening; not the cause.
• Stale GRUB stage1 + core.img in the MBR. Arch never re-runs grub-install after a grub package upgrade. Refreshed it. Still filtered.
• Kernel 7.0.5 regression. Downgraded to 6.18.3, the kernel that had run for 4 months. Still filtered. So the kernel itself wasn’t it either.

The clue was in the persistent journal: a single recorded boot from December 31 to May 12 10:13 UTC, and absolutely nothing after. Every reboot since the upgrade was failing before systemd-journald could flush to disk — so the failure had to be in the initramfs, before the root filesystem was even mounted.

What it almost certainly was

Hetzner Dedicated servers configure the initramfs network with ip=dhcp on the kernel command line. That depends on Hetzner’s DHCP server replying to whatever request format the current kernel sends. Somewhere between kernel 6.18 / iproute2 6.18 and kernel 7.0 / iproute2 7.0, the request format changed enough that Hetzner’s DHCP stopped responding. Effects:

• Old kernel at runtime kept the interface already configured (Phase A — 32 hours of healthy operation after the package upgrade).
• New kernel cold-boots, hits DHCP, never gets an IP, dropbear cannot listen, port 22 stays filtered.

Hetzner’s own documentation has been quietly moving away from ip=dhcp toward static IPv4 in the kernel command line. The fix is exactly that:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md1:cryptroot ip=A.B.C.D::GATEWAY:255.255.255.255:hostname:eth0:none"

One line in /etc/default/grub, grub-mkconfig, reboot. No more dependency on Hetzner’s DHCP responding to whatever your current kernel sends.

Why it matters for anyone running this stack

If you run Arch on Hetzner Dedicated with full-disk encryption and remote unlock via dropbear, the ip=dhcp shipped by installimage is a latent bug. It can keep working for years and then break overnight, on every machine you have, after a routine pacman -Syyu. The static-IP version is what Hetzner now recommends and removes the entire dependency.

Tooling

While debugging, I turned the whole rescue / chroot / diagnose / fix workflow into a Python CLI (hal) — including hal fix static-ip, which derives the static cmdline directly from your existing systemd-networkd .network file:

→ github.com/kevinveenbirkenbach/hetzner-arch-luks

Single command, idempotent, reversible (the original /etc/default/grub is backed up to .hal-backup). If you’re on this stack, switch to static IP before the next kernel upgrade catches you.

When two Hetzner servers died at the same time

On May 12, 2026, two of my Arch Linux + LUKS servers at Hetzner became unreachable at the same moment. Both had been running for 4+ months without issue. Both had received the same pacman -Syyu the day before, but had stayed on the old kernel until the morning the websites stopped responding. I rebooted — SSH never came back. nmap -Pn -p 22 showed filtered from anywhere. No ping. No banner. The Hetzner Robot panel insisted the hardware was fine.

Several hours went into hypotheses that turned out to be wrong:

• The encryptssh initcpio hook referencing a /usr/lib/initcpio/udev/11-dm-initramfs.rules file that no longer exists. Real bug, no boot impact — the initramfs rebuilds anyway.
• PermitRootLogin no in sshd_config. Real misconfiguration, fixed it, didn’t help. A refusing sshd shows closed, not filtered.
• Predictable interface-naming drift after the systemd 260 upgrade. Patched the .network config to match by MAC. Useful hardening; not the cause.
• Stale GRUB stage1 + core.img in the MBR. Arch never re-runs grub-install after a grub package upgrade. Refreshed it. Still filtered.
• Kernel 7.0.5 regression. Downgraded to 6.18.3, the kernel that had run for 4 months. Still filtered. So the kernel itself wasn’t it either.

The clue was in the persistent journal: a single recorded boot from December 31 to May 12 10:13 UTC, and absolutely nothing after. Every reboot since the upgrade was failing before systemd-journald could flush to disk — so the failure had to be in the initramfs, before the root filesystem was even mounted.

What it almost certainly was

Hetzner Dedicated servers configure the initramfs network with ip=dhcp on the kernel command line. That depends on Hetzner’s DHCP server replying to whatever request format the current kernel sends. Somewhere between kernel 6.18 / iproute2 6.18 and kernel 7.0 / iproute2 7.0, the request format changed enough that Hetzner’s DHCP stopped responding. Effects:

• Old kernel at runtime kept the interface already configured (Phase A — 32 hours of healthy operation after the package upgrade).
• New kernel cold-boots, hits DHCP, never gets an IP, dropbear cannot listen, port 22 stays filtered.

Hetzner’s own documentation has been quietly moving away from ip=dhcp toward static IPv4 in the kernel command line. The fix is exactly that:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md1:cryptroot ip=A.B.C.D::GATEWAY:255.255.255.255:hostname:eth0:none"

One line in /etc/default/grub, grub-mkconfig, reboot. No more dependency on Hetzner’s DHCP responding to whatever your current kernel sends.

Why it matters for anyone running this stack

If you run Arch on Hetzner Dedicated with full-disk encryption and remote unlock via dropbear, the ip=dhcp shipped by installimage is a latent bug. It can keep working for years and then break overnight, on every machine you have, after a routine pacman -Syyu. The static-IP version is what Hetzner now recommends and removes the entire dependency.

Tooling

While debugging, I turned the whole rescue / chroot / diagnose / fix workflow into a Python CLI (hal) — including hal fix static-ip, which derives the static cmdline directly from your existing systemd-networkd .network file:

→ github.com/kevinveenbirkenbach/hetzner-arch-luks

Single command, idempotent, reversible (the original /etc/default/grub is backed up to .hal-backup). If you’re on this stack, switch to static IP before the next kernel upgrade catches you.

When two Hetzner servers died at the same time

On May 12, 2026, two of my Arch Linux + LUKS servers at Hetzner became unreachable at the same moment. Both had been running for 4+ months without issue. Both had received the same pacman -Syyu the day before, but had stayed on the old kernel until the morning the websites stopped responding. I rebooted — SSH never came back. nmap -Pn -p 22 showed filtered from anywhere. No ping. No banner. The Hetzner Robot panel insisted the hardware was fine.

Several hours went into hypotheses that turned out to be wrong:

• The encryptssh initcpio hook referencing a /usr/lib/initcpio/udev/11-dm-initramfs.rules file that no longer exists. Real bug, no boot impact — the initramfs rebuilds anyway.
• PermitRootLogin no in sshd_config. Real misconfiguration, fixed it, didn’t help. A refusing sshd shows closed, not filtered.
• Predictable interface-naming drift after the systemd 260 upgrade. Patched the .network config to match by MAC. Useful hardening; not the cause.
• Stale GRUB stage1 + core.img in the MBR. Arch never re-runs grub-install after a grub package upgrade. Refreshed it. Still filtered.
• Kernel 7.0.5 regression. Downgraded to 6.18.3, the kernel that had run for 4 months. Still filtered. So the kernel itself wasn’t it either.

The clue was in the persistent journal: a single recorded boot from December 31 to May 12 10:13 UTC, and absolutely nothing after. Every reboot since the upgrade was failing before systemd-journald could flush to disk — so the failure had to be in the initramfs, before the root filesystem was even mounted.

What it almost certainly was

Hetzner Dedicated servers configure the initramfs network with ip=dhcp on the kernel command line. That depends on Hetzner’s DHCP server replying to whatever request format the current kernel sends. Somewhere between kernel 6.18 / iproute2 6.18 and kernel 7.0 / iproute2 7.0, the request format changed enough that Hetzner’s DHCP stopped responding. Effects:

• Old kernel at runtime kept the interface already configured (Phase A — 32 hours of healthy operation after the package upgrade).
• New kernel cold-boots, hits DHCP, never gets an IP, dropbear cannot listen, port 22 stays filtered.

Hetzner’s own documentation has been quietly moving away from ip=dhcp toward static IPv4 in the kernel command line. The fix is exactly that:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md1:cryptroot ip=A.B.C.D::GATEWAY:255.255.255.255:hostname:eth0:none"

One line in /etc/default/grub, grub-mkconfig, reboot. No more dependency on Hetzner’s DHCP responding to whatever your current kernel sends.

Why it matters for anyone running this stack

If you run Arch on Hetzner Dedicated with full-disk encryption and remote unlock via dropbear, the ip=dhcp shipped by installimage is a latent bug. It can keep working for years and then break overnight, on every machine you have, after a routine pacman -Syyu. The static-IP version is what Hetzner now recommends and removes the entire dependency.

Tooling

While debugging, I turned the whole rescue / chroot / diagnose / fix workflow into a Python CLI (hal) — including hal fix static-ip, which derives the static cmdline directly from your existing systemd-networkd .network file:

→ github.com/kevinveenbirkenbach/hetzner-arch-luks

Single command, idempotent, reversible (the original /etc/default/grub is backed up to .hal-backup). If you’re on this stack, switch to static IP before the next kernel upgrade catches you.

When two Hetzner servers died at the same time

On May 12, 2026, two of my Arch Linux + LUKS servers at Hetzner became unreachable at the same moment. Both had been running for 4+ months without issue. Both had received the same pacman -Syyu the day before, but had stayed on the old kernel until the morning the websites stopped responding. I rebooted — SSH never came back. nmap -Pn -p 22 showed filtered from anywhere. No ping. No banner. The Hetzner Robot panel insisted the hardware was fine.

Several hours went into hypotheses that turned out to be wrong:

• The encryptssh initcpio hook referencing a /usr/lib/initcpio/udev/11-dm-initramfs.rules file that no longer exists. Real bug, no boot impact — the initramfs rebuilds anyway.
• PermitRootLogin no in sshd_config. Real misconfiguration, fixed it, didn’t help. A refusing sshd shows closed, not filtered.
• Predictable interface-naming drift after the systemd 260 upgrade. Patched the .network config to match by MAC. Useful hardening; not the cause.
• Stale GRUB stage1 + core.img in the MBR. Arch never re-runs grub-install after a grub package upgrade. Refreshed it. Still filtered.
• Kernel 7.0.5 regression. Downgraded to 6.18.3, the kernel that had run for 4 months. Still filtered. So the kernel itself wasn’t it either.

The clue was in the persistent journal: a single recorded boot from December 31 to May 12 10:13 UTC, and absolutely nothing after. Every reboot since the upgrade was failing before systemd-journald could flush to disk — so the failure had to be in the initramfs, before the root filesystem was even mounted.

What it almost certainly was

Hetzner Dedicated servers configure the initramfs network with ip=dhcp on the kernel command line. That depends on Hetzner’s DHCP server replying to whatever request format the current kernel sends. Somewhere between kernel 6.18 / iproute2 6.18 and kernel 7.0 / iproute2 7.0, the request format changed enough that Hetzner’s DHCP stopped responding. Effects:

• Old kernel at runtime kept the interface already configured (Phase A — 32 hours of healthy operation after the package upgrade).
• New kernel cold-boots, hits DHCP, never gets an IP, dropbear cannot listen, port 22 stays filtered.

Hetzner’s own documentation has been quietly moving away from ip=dhcp toward static IPv4 in the kernel command line. The fix is exactly that:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md1:cryptroot ip=A.B.C.D::GATEWAY:255.255.255.255:hostname:eth0:none"

One line in /etc/default/grub, grub-mkconfig, reboot. No more dependency on Hetzner’s DHCP responding to whatever your current kernel sends.

Why it matters for anyone running this stack

If you run Arch on Hetzner Dedicated with full-disk encryption and remote unlock via dropbear, the ip=dhcp shipped by installimage is a latent bug. It can keep working for years and then break overnight, on every machine you have, after a routine pacman -Syyu. The static-IP version is what Hetzner now recommends and removes the entire dependency.

Tooling

While debugging, I turned the whole rescue / chroot / diagnose / fix workflow into a Python CLI (hal) — including hal fix static-ip, which derives the static cmdline directly from your existing systemd-networkd .network file:

→ github.com/kevinveenbirkenbach/hetzner-arch-luks

Single command, idempotent, reversible (the original /etc/default/grub is backed up to .hal-backup). If you’re on this stack, switch to static IP before the next kernel upgrade catches you.

When two Hetzner servers died at the same time

On May 12, 2026, two of my Arch Linux + LUKS servers at Hetzner became unreachable at the same moment. Both had been running for 4+ months without issue. Both had received the same pacman -Syyu the day before, but had stayed on the old kernel until the morning the websites stopped responding. I rebooted — SSH never came back. nmap -Pn -p 22 showed filtered from anywhere. No ping. No banner. The Hetzner Robot panel insisted the hardware was fine.

Several hours went into hypotheses that turned out to be wrong:

• The encryptssh initcpio hook referencing a /usr/lib/initcpio/udev/11-dm-initramfs.rules file that no longer exists. Real bug, no boot impact — the initramfs rebuilds anyway.
• PermitRootLogin no in sshd_config. Real misconfiguration, fixed it, didn’t help. A refusing sshd shows closed, not filtered.
• Predictable interface-naming drift after the systemd 260 upgrade. Patched the .network config to match by MAC. Useful hardening; not the cause.
• Stale GRUB stage1 + core.img in the MBR. Arch never re-runs grub-install after a grub package upgrade. Refreshed it. Still filtered.
• Kernel 7.0.5 regression. Downgraded to 6.18.3, the kernel that had run for 4 months. Still filtered. So the kernel itself wasn’t it either.

The clue was in the persistent journal: a single recorded boot from December 31 to May 12 10:13 UTC, and absolutely nothing after. Every reboot since the upgrade was failing before systemd-journald could flush to disk — so the failure had to be in the initramfs, before the root filesystem was even mounted.

What it almost certainly was

Hetzner Dedicated servers configure the initramfs network with ip=dhcp on the kernel command line. That depends on Hetzner’s DHCP server replying to whatever request format the current kernel sends. Somewhere between kernel 6.18 / iproute2 6.18 and kernel 7.0 / iproute2 7.0, the request format changed enough that Hetzner’s DHCP stopped responding. Effects:

• Old kernel at runtime kept the interface already configured (Phase A — 32 hours of healthy operation after the package upgrade).
• New kernel cold-boots, hits DHCP, never gets an IP, dropbear cannot listen, port 22 stays filtered.

Hetzner’s own documentation has been quietly moving away from ip=dhcp toward static IPv4 in the kernel command line. The fix is exactly that:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md1:cryptroot ip=A.B.C.D::GATEWAY:255.255.255.255:hostname:eth0:none"

One line in /etc/default/grub, grub-mkconfig, reboot. No more dependency on Hetzner’s DHCP responding to whatever your current kernel sends.

Why it matters for anyone running this stack

If you run Arch on Hetzner Dedicated with full-disk encryption and remote unlock via dropbear, the ip=dhcp shipped by installimage is a latent bug. It can keep working for years and then break overnight, on every machine you have, after a routine pacman -Syyu. The static-IP version is what Hetzner now recommends and removes the entire dependency.

Tooling

While debugging, I turned the whole rescue / chroot / diagnose / fix workflow into a Python CLI (hal) — including hal fix static-ip, which derives the static cmdline directly from your existing systemd-networkd .network file:

→ github.com/kevinveenbirkenbach/hetzner-arch-luks

Single command, idempotent, reversible (the original /etc/default/grub is backed up to .hal-backup). If you’re on this stack, switch to static IP before the next kernel upgrade catches you.

@nickbearded kali has a very good guide for this - it is about 6 steps #encrypted persistence #luks

As I understand it, #nixos is not vulnerable by default. However, if you use #luks and kernel lower then 6.18 or 7.0, for example, the module is already in your system. A quick fix:

```
{
boot.extraModprobeConfig = ''
install algif_aead ${pkgs.coreutils}/bin/false
'';
boot.blacklistedKernelModules = [ "algif_aead" ];
}
```

Ein lieber Mensch hat mir seinen recht aktuellen Desktop vermacht, zu einem Preis für den aktuell vermutlich grad mal das RAM zu bekommen wäre. Das System darf dann mein fast volljähriges mit Xeao 550 i7 und GTX 770 ablösen.
Nur: Damals gab es noch kein Secure Boot, TPM und GPT und ich verzweifle daran auf dem neumodischem Schnickschnack ein #Arch mit #LVM auf #LUKS mit einem funktionierdem bootloader zu versehen.
Ob sich so Opa gefühlt hat, als er den VHS-Rekorder nicht programmieren konnte?

In actuality, typing my #LUKS phrase is probably the single least efficient part of the #boot...

Unification de l'installeur : Le projet va désormais utiliser l'installeur de #LMDE (le "live-installer") pour toutes ses versions, remplaçant ainsi #Ubiquity. Ce changement permet de mieux supporter l' #OEM, le #SecureBoot et #LVM / #LUKS.

Arrivée de "Alfa" (Mint 23) : Une version de développement nommée provisoirement "Alfa" est déjà sur les rails.

Update: #OpenSuse Tumbleweed handled it! So much for dunking on YaST, guys, it's the bomb!!!
Also, as much as I enjoy dunking on the systemd empire, systemd-boot is good (compared to grub, at least). ;)

#LUKS is gonna drive me mad.

This is on a brand new #Debian install. All I'm trying to do is have my home partition encrypted on a second SSD. No matter what I try, I get an unbootable system or it just ignores the second SSD. Right now, the last thing I tried to do was to use LVM to add the second SSD as a physical partition. But that didn't work either.

The last thing I tried was to boot into the graphical installer (not the live session) and install it with the guided partitioning using LVM and encryption. I then booted into a live session, Set up the second SSD as a physical volume and then add that physical volume to the main volume group. I then extended the swap and root partition into the new space provided by the second SSD as physical volume, but it doesn't boot.

Are there any distros that handle this automatically? I'm tired of pulling my hair out.

Today is #WorldBackupDay.

A while ago, we've blogged about a rather comprehensive approach to backups for your home office. Maybe you find parts of it useful:

https://tuxwise.net/all-episodes/s01e03-secure-backups-and-a-time-machine-for-your-home-office/

#backup #NAS #DAS #LUKS #btrfs #HomeOffice #WFH

Today is #WorldBackupDay.

A while ago, we've blogged about a rather comprehensive approach to backups for your home office. Maybe you find parts of it useful:

https://tuxwise.net/all-episodes/s01e03-secure-backups-and-a-time-machine-for-your-home-office/

#backup #NAS #DAS #LUKS #btrfs #HomeOffice #WFH

Today is #WorldBackupDay.

A while ago, we've blogged about a rather comprehensive approach to backups for your home office. Maybe you find parts of it useful:

https://tuxwise.net/all-episodes/s01e03-secure-backups-and-a-time-machine-for-your-home-office/

#backup #NAS #DAS #LUKS #btrfs #HomeOffice #WFH

Today is #WorldBackupDay.

A while ago, we've blogged about a rather comprehensive approach to backups for your home office. Maybe you find parts of it useful:

https://tuxwise.net/all-episodes/s01e03-secure-backups-and-a-time-machine-for-your-home-office/

#backup #NAS #DAS #LUKS #btrfs #HomeOffice #WFH

@Cloudsincoffee

do they work on Linux for LUKS etc. - can you use the same package yubikey-luks? I'm currently using Yubikey, but always open for change, if it is not too difficult.

#Yubikey #Token2 #LUKS #Linux #FIDO2 #MFA

@fosserytech so I don't have to educate Ubuntu users about how important disk encryption any more.

#linux #ubuntu #luks

System says exit 1. I say: Challenge accepted.

Debugging the engine.

No corporate cloud fluff, just raw logs, Arch Linux, and a broken pipeline that’s about to get crushed.

don't solve theoretical problems. break real ones. ✊🔥

#ArchLinux #RootCause #LUKS #GitHubActions #AnarchyInTheShell #ContinuumHQ #Dataengineering #DataScience#agenticworkflow #SRE #Grit #Gritlab

Huh..easier than I thought. 🤔

https://github.com/gitbls/sdm can configure, encrypt, and auto-unlock rootfs with #nbde #tang/#clevis
#raspberrypi #security #luks

Anyone using tang/clevis with LUKS? I'm working on an integration project and have a few questions. Thx!

Please boost for visibility

#raspberrypi #luks

Une méthode pour déchiffrer automatiquement des volumes LUKS : https://jeremy.lecour.fr/blog/2026/03/18/dechiffrement-luks-auto-clevis-tang/ #linux #sysadmin #debian #clevis #tang #luks

Full disk encryption in production isn't optional. From backups to data storage - it protects your most valuable asset: the information.

#luks #encryption #cybersecurity #cryptography

http://tomsitcafe.com/2026/03/13/the-operators-luks-bible/

LUKS/Fedora question: Does anybody know if there is a way to increase the number of passphrase attempts to unlock the encrypted partition at boot before cryptsetup failure ?

#Linux #Fedora #LUKS #CryptSetup #GNOME

This week has been full of major improvements to my #Linux setup across my #ThinkPads. I now have:
1. Significantly faster boot times due to quicker #LUKS decryption by separating out #boot and #EFI into separate volumes.
2. Upgrade from #LUKS1 to #LUKS2 (while most of the rest of my setup)
3. Better visuals for LUKS passphrase prompts using (finally) #plymouth

I couldn't have asked for more improvements in barely two days.

Set up automatic LUKS decryption via a USB key — or an SD card through a reader, so you don't waste a port.

Key present — boots silently. No key — asks for password as usual.

The gotchas are subtle: one wrong separator in cryptkey and it silently falls back to password with no error. Missing ext4 in initramfs does the same. Fun debugging at boot time.

- Full guide on Codeberg:
https://codeberg.org/makepkg/arch-luks-auto-unlock

#Linux #Arch #LUKS #Security

New blog post!

Using the Arch Linux installation image and working my way through the excellent installation guide, I show the choices I make to create an encrypted, minimal Linux system with “just enough” to provide a solid foundation to build upon further: whether that be setting up a desktop, laptop, or server:

https://www.dwarmstrong.org/archlinux-install/

#ArchLinux #Linux #LUKS #BTRFS

Как защитить ключи LUKS с помощью Рутокен ЭЦП 3.0 и алгоритмов ГОСТ Р 34.10-2012. Часть 4

Безопасная эксплуатация ноутбуков, или Защита пользовательского ключа с помощью алгоритмов ГОСТ Р 34.10-2012 В третьей части мы настроили защиту мастер-ключа с помощью USB-токена, используя RSA, но теперь мы перейдем на алгоритмы ГОСТ Р 34.10-2012. Жаркие. Зимние. Твои. А еще они основаны на более перспективных эллиптических кривых, которым не нужны такие большие ключи, чтобы обеспечить более высокий уровень безопасности.

https://habr.com/ru/companies/aktiv-company/articles/996516/

#linux #luks #полнодисковое_шифрование #рутокен #plymouth #openssl #pkcs11 #encrypt #bitlocker #гост_34102012

I am looking for a way to do offline backups for Linux filesystems on x64/arm64/amd64 laptops to an encrypted (LUKS) disk.
I tried systemrescue. It works using fsarchiver but I have to manually mount the external disk per several cryptsetup commands.
I have written down the commands for several Linux distros I use but would like to boot from an USB stick on which either the commands are stored in a file or a sort-of automount works out-of-the-box.
I see several choices:
Customize system-rescue. I would have to do it for every new version
or
Use a distro on an USB stick which supports automount of encrypted disks.
Q4OS seems to be a good candidate. I don't know whether both versions of the live images support this automounting.
Any suggestions ?
#q4os #luks #backup #linux

Как защитить ключи LUKS с помощью Рутокен ЭЦП 3.0 и алгоритмов ГОСТ Р 34.10-2012. Часть 3

Безопасная эксплуатация ноутбуков, или Защита пользовательского ключа с помощью USB-токена на примере Рутокен ЭЦП 3.0 Из второй части мы узнали, как настроить загрузку компьютера таким образом, чтобы для разблокирования системного диска использовались ключи, размещенные на внешнем USB-накопителе. Однако при краже компьютера вместе с этим накопителем злоумышленник сможет получить доступ к данным так, как если бы они не были защищены вовсе, поэтому наиболее привлекательным способом решения поставленной задачи видится использование USB-токенов и смарт-карт, таких как Рутокен ЭЦП 3.0 или JaCarta-2 ГОСТ. Токены представляют собой защищенные микроконтроллеры со встроенной энергонезависимой памятью, поэтому способны выполнять все вычисления самостоятельно без использования ресурсов центрального процессора, не допуская копирование закрытого ключа с устройства, что обеспечивает максимально высокий уровень безопасности.

https://habr.com/ru/companies/aktiv-company/articles/994834/

#linux #luks #полнодисковое_шифрование #рутокен #plymouth #rsa #openssl #pkcs11 #encrypt #bitlocker

Gut, dass es #TestDisk gibt: Jemand überschrieb versehentlich eine Partitionstabelle (GPT). Darauf befand sich nur eine #LUKS2-Partition. Mit #TestDisk ließ sich das zum Glück regeln.

Aber ganz trivial war es dann doch nicht: TestDisk erkennt nur die Minimalgröße von LUKS-Partitionen und stellt diese wieder her und kennt nicht das tatsächliche Ende. Und entschlüsseln ließ sich das Ding auch nicht: "Invalid argument" nach korrekter Angabe des Schlüssels.

Stellt sich raus: Die Partitionsgröße muss ein Vielfaches der Sektorgröße (hier 4096) sein, sonst geht da gar nix. Also auf die nächstgrößere Partitionsgröße mit parted erweitert und dann gings. :awesome:

#Linux #Encryption #LUKS

Suspend then hibernate sounds simple, until LUKS and LVM enter the picture. Make it work without breaking your system. #linux #powermanagement #luks #lvm #hibernate #suspend

http://tomsitcafe.com/2026/01/14/suspend-then-hibernate-with-luks-and-lvm-a-practical-setup/

Suspend then hibernate sounds simple, until LUKS and LVM enter the picture. Make it work without breaking your system. #linux #powermanagement #luks #lvm #hibernate #suspend

http://tomsitcafe.com/2026/01/14/suspend-then-hibernate-with-luks-and-lvm-a-practical-setup/

Suspend then hibernate sounds simple, until LUKS and LVM enter the picture. Make it work without breaking your system. #linux #powermanagement #luks #lvm #hibernate #suspend

http://tomsitcafe.com/2026/01/14/suspend-then-hibernate-with-luks-and-lvm-a-practical-setup/

Linux Tails
Einfach mal Linux installieren – Teil 2
Mehr zu Tails bei uns https://www.a-fsa.de/cgi-bin/searchartl.pl?suche=tails&sel=meta
und zum Tor-Netzwerk https://www.a-fsa.de/cgi-bin/searchartl.pl?suche=tor&sel=meta
a-fsa.de/d/3Lr
Link zu dieser Seite: https://www.a-fsa.de/de/articles/9347-20251117-linux-tails.html
Link im Tor-Netzwerk: http://a6pdp5vmmw4zm5tifrc3qo2pyz7mvnk4zzimpesnckvzinubzmioddad.onion/de/articles/9347-20251117-linux-tails.html
Tags: #Linux #Tails #Transkript #Lauschangriff #Überwachung #Verbraucherdatenschutz #TorNetzwerk #Anonymisierung #Verschlüsselung #Datensicherheit #Installation #PersistentStorage #USBStick #DarkNet #Debian #LUKS #Unterstützung

Ich brauche nochmal #Brainpower der #EDV #Bubble 🤣

Da mein bisheriges, betagtes, leistungsschwaches 1-Bay #QNAP #NAS sehr langsam ist, z.B. beim #rsync, habe ich inzwischen das #Ugreen #NAS #DPX2800 gekauft, mit 32 GB #RAM aufgerüstet und 2 #NVNE mit je 2 TB eingebaut.

Azf den beiden M.2 ist #Proxmox im #ZFS #RAID1 installiert. #Homeassistant und #TrueNAS laufen je in einer #VM.

TrueNAS soll nun einen #Datenpool in Form eines verschlüsselten ZFS RAID 1 auf 2 16 TB Festplatten bekommen. So weit so gut.

Nur: Wie bekomme ich die #Daten vom alten NAS, die in einer verschlüsselten #LUKS #Partition liegen, in den Datenpool?

Über #Netzwerk kopieren ist keine wirkliche Option. Das ist für ~ 10 TB Nutzdaten viel zu langsam.

Bitte #Boost für mehr Reichweite. 🙏

Uso #archlinux su disco #nvne da 1T #sabrent (home non separata).
+
Un SSD #samsung da 256G dedicato a backup del blog, ISO varie ed eventuali: roba che se perdo poco importa.
+
Per #backup ho 1 #maxtor #usb3 che collego al bisogno.

Tutti con #luks + #ext4.

Il setup è ok, ma penso di mettere un disco meccanico da 4T in locale dedicato al backup incrementale ( #kup o #timeshift ) e poi questo lo copierò sul Maxtor esterno.

Pareri? Consigli sul disco da acquistare? Grazie 😊