home.social

#secure-boot — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #secure-boot, aggregated by home.social.

fetched live
  1. Unlocking Fully Encrypted Servers over Tor

    Remote servers should not have to choose between security and availability.

    For years, the common compromise has been to expose SSH to the public Internet or to rely on VPNs and provider-specific KVM consoles whenever a LUKS-encrypted server reboots.

    I believe there is a better approach.

    By combining LUKS, Tor Onion Services, and a lightweight SSH server running directly inside the initramfs, it is possible to build servers that remain fully encrypted at rest, yet can always be unlocked remotely without exposing any public management interface.

    This article describes the concept and how it could evolve into a reusable feature for Infinito.Nexus.

    The Problem

    Full disk encryption protects data when a server is powered off.

    However, after every reboot someone must enter the LUKS passphrase.

    For remote dedicated servers this usually means one of the following:

    • opening SSH to the Internet
    • connecting through a VPN
    • using a provider’s KVM/IPMI console
    • booting into a rescue system

    While remote unlocking via Dropbear inside the initramfs is already a well-known solution, it still typically relies on a publicly reachable IP address.

    The Idea

    Instead of exposing SSH publicly, start Tor directly inside the initramfs.

    The boot sequence would look like this:

    Server boots


    Kernel + initramfs


    Network initialization


    Tor starts


    Temporary Onion Service appears

    unlock-xxxxxxxx.onion


    SSH via Tor


    cryptsetup luksOpen


    Root filesystem unlocked


    Operating system boots


    Temporary Onion Service disappears

    The administrator simply connects through Tor:

    torsocks ssh [email protected]

    After entering the LUKS passphrase, the operating system continues booting normally.

    Separate Identities for Boot and Runtime

    One of the strongest aspects of this design is that boot-time and runtime use different Onion identities.

    Boot environment

    • dedicated Ed25519 key
    • dedicated Onion address
    • only SSH
    • exists only during boot

    Example:

    unlock-xxxxxxxx.onion

    Runtime environment

    Once the operating system has booted:

    • the initramfs exits
    • Tor inside initramfs stops
    • a new Tor instance starts
    • completely different Onion addresses become available

    For example:

    ssh-xxxxxxxx.onion
    cloud-xxxxxxxx.onion
    matrix-xxxxxxxx.onion
    mail-xxxxxxxx.onion

    The unlock address simply disappears.

    This cleanly separates the trust boundaries between the bootloader environment and the running operating system.

    Why Tor?

    Using Tor instead of exposing SSH directly provides several advantages:

    • no public IP address required
    • no exposed SSH port
    • no VPN infrastructure
    • works behind NAT or Carrier-Grade NAT
    • management interface is only reachable through the Tor network
    • additional network privacy
    • ideal for self-hosted infrastructure

    This is particularly attractive for servers hosted in data centers where administrators rarely have physical access.

    What Happens After a Crash?

    Whenever the server reboots:

    1. the initramfs starts
    2. networking is initialized
    3. Tor publishes the temporary Onion Service
    4. you connect via SSH
    5. you unlock LUKS
    6. the server continues booting

    No KVM console.

    No VPN.

    No public SSH endpoint.

    Only Tor.

    Of course, catastrophic failures such as a broken initramfs or missing network drivers still require traditional recovery methods such as a rescue system or KVM.

    Existing Building Blocks

    Most of the required components already exist today.

    My repository hetzner-arch-luks demonstrates how to deploy Arch Linux with full disk encryption on Hetzner servers and configure remote unlocking via SSH during the initramfs stage.

    Repository:

    https://github.com/kevinveenbirkenbach/hetzner-arch-luks

    Another project, linux-image-manager, automates the creation and customization of Linux images and could serve as the foundation for embedding Tor, Dropbear/TinySSH, and the required initramfs configuration into reusable images.

    Repository:

    https://github.com/kevinveenbirkenbach/linux-image-manager

    Together, these repositories provide much of the groundwork required for a fully automated implementation.

    Future Integration into Infinito.Nexus

    I envision this becoming a native feature of Infinito.Nexus.

    Provisioning a server could automatically:

    • install Arch Linux
    • configure LUKS full disk encryption
    • generate an initramfs containing:
      • Tor
      • Dropbear or TinySSH
      • cryptsetup
    • create a dedicated boot-time Onion Service
    • automatically switch to permanent runtime Onion Services after successful boot

    From the administrator’s perspective, recovering a rebooted server would be as simple as:

    torsocks ssh root@unlock-<hostname>.onion

    Enter the passphrase.

    The server continues booting.

    Nothing is ever exposed to the public Internet.

    Looking Ahead

    This concept combines three mature technologies:

    • LUKS
    • Tor Onion Services
    • Remote initramfs unlocking

    While each technology already exists independently, integrating them into a seamless provisioning workflow could significantly improve the security and usability of encrypted self-hosted infrastructure.

    For projects focused on digital sovereignty and privacy, removing the need for publicly exposed management interfaces is a natural next step.

    #ArchLinux #cryptsetup #Cybersecurity #DevOps #DigitalSovereignty #DiskEncryption #Dropbear #FullDiskEncryption #Hetzner #InfinitoNexus #InfrastructureAsCode #initramfs #Linux #LinuxSecurity #LUKS #OnionServices #OpenSource #Privacy #RemoteLUKSUnlock #RemoteServerManagement #RemoteUnlock #SecureBoot #SelfHostedInfrastructure #SelfHosting #ServerSecurity #SSHOverTor #TinySSH #Tor #TorHiddenServices
  2. Bit-Rauschen, der Prozessor-Podcast: Das Secure-Boot-Problem von Windows 11

    Microsoft werkelt an der Schutzfunktionen UEFI Secure Boot herum, sodass manche Rechner nicht mehr starten: Folge 2025/13 des Podcasts Bit-Rauschen.

    heise.de/meinung/Bit-Rauschen-

    #BitRauschen #IT #Journal #UEFI #SecureBoot #Windows #news

  3. Bit-Rauschen, der Prozessor-Podcast: Das Secure-Boot-Problem von Windows 11

    Microsoft werkelt an der Schutzfunktionen UEFI Secure Boot herum, sodass manche Rechner nicht mehr starten: Folge 2025/13 des Podcasts Bit-Rauschen.

    heise.de/meinung/Bit-Rauschen-

    #BitRauschen #IT #Journal #UEFI #SecureBoot #Windows #news

  4. Because I am a slacker, I didn't really think much about it. I ran a #powershell command to check that I had the new certificates, and it came back "True"...so...golden, right? Ooooooh, but no.

    (Powershell command to check cert: run it as an Administrator, and type

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    If True, you have updated certs. )

    But...just because you have new certificates DOES NOT MEAN THEY ARE INSTALLED.

    The second thing to check is the “default db,” which shows whether the new #SecureBoot certificates are baked into your PC’s firmware.

    #PowerShell command:
    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

    If this command returns “true,” your system is running an updated BIOS with the new Secure Boot certificates built in. Older PCs and systems without a #BIOS update installed will return “false” here.

    2/

  5. Because I am a slacker, I didn't really think much about it. I ran a #powershell command to check that I had the new certificates, and it came back "True"...so...golden, right? Ooooooh, but no.

    (Powershell command to check cert: run it as an Administrator, and type

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    If True, you have updated certs. )

    But...just because you have new certificates DOES NOT MEAN THEY ARE INSTALLED.

    The second thing to check is the “default db,” which shows whether the new #SecureBoot certificates are baked into your PC’s firmware.

    #PowerShell command:
    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

    If this command returns “true,” your system is running an updated BIOS with the new Secure Boot certificates built in. Older PCs and systems without a #BIOS update installed will return “false” here.

    2/

  6. Ok, I recognize that since starting HRT, I have reclaimed Bitch Mode, (estrogen, my old friend, how I've missed you), and I am crankier than advertised. So, perhaps my morning of aggravation is not so severe that it requires me to call in tactical airstrikes on #Dell and #Microsoft...but it just might.

    Back in 2011, #UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup was added to #Windows. It became a formal system requirement for installing Windows starting with Windows 11 in 2021.

    #SecureBoot has relied on the same security certificates to verify bootloaders since 2011. But those original certificates are set to expire today, 06/24/2026.

    1/

  7. Ok, I recognize that since starting HRT, I have reclaimed Bitch Mode, (estrogen, my old friend, how I've missed you), and I am crankier than advertised. So, perhaps my morning of aggravation is not so severe that it requires me to call in tactical airstrikes on #Dell and #Microsoft...but it just might.

    Back in 2011, #UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup was added to #Windows. It became a formal system requirement for installing Windows starting with Windows 11 in 2021.

    #SecureBoot has relied on the same security certificates to verify bootloaders since 2011. But those original certificates are set to expire today, 06/24/2026.

    1/

  8. Ich nutze das neue (gebrauchte) #T570 aktuell für Tests von $Dingen, die ich mir auf meinen sonstigen Systemen (noch) nicht traue. Schön ist, das es halbwegs aktuelle #Hardware ist.

    Aktuell teste ich die Absicherung der Boot-Chain und die Verschlüsselung der Systempartition mit #LUKS + #clevis + #systemd + #TPM2 + #SecureBoot.

    Ich habe lange über die Sinnhaftigkeit gezweifelt, aber mittlerweile verstehe ich das Konzept etwas besser. Praxiserfahrung hilft mir da enorm.

    Aktuell habe ich die Kombination einer 6-stelligen PIN mit dem TPM2 des #Notebooks, um die Partition zu entschlüsseln. Da erscheint mir momentan ein ausreichender Kompromis zwischen Sicherheit und Nutzbarkeit.

    Jetzt schaue ich mal, wie sich das mittelfristig im Betrieb schlägt. Vor allem, ob es zu Fehlern bei Upgrades kommt, die mir potentiell den Zugriff auf das System kaputt machen könnten.

    #security #GNU/Linux #fedora

    fedoramagazine.org/automatical…

  9. Ich nutze das neue (gebrauchte) #T570 aktuell für Tests von $Dingen, die ich mir auf meinen sonstigen Systemen (noch) nicht traue. Schön ist, das es halbwegs aktuelle #Hardware ist.

    Aktuell teste ich die Absicherung der Boot-Chain und die Verschlüsselung der Systempartition mit #LUKS + #clevis + #systemd + #TPM2 + #SecureBoot.

    Ich habe lange über die Sinnhaftigkeit gezweifelt, aber mittlerweile verstehe ich das Konzept etwas besser. Praxiserfahrung hilft mir da enorm.

    Aktuell habe ich die Kombination einer 6-stelligen PIN mit dem TPM2 des #Notebooks, um die Partition zu entschlüsseln. Da erscheint mir momentan ein ausreichender Kompromis zwischen Sicherheit und Nutzbarkeit.

    Jetzt schaue ich mal, wie sich das mittelfristig im Betrieb schlägt. Vor allem, ob es zu Fehlern bei Upgrades kommt, die mir potentiell den Zugriff auf das System kaputt machen könnten.

    #security #GNU/Linux #fedora

    fedoramagazine.org/automatical…

  10. #Windows and #Linux users: The deadline to update #SecureBoot keys is near

    The clock is ticking for Windows and Linux users to update #cryptographic keys that protect their systems against firmware-based #UEFI infections, a pernicious form of #malware that loads before operating system and anti-malware protections start.

    Beginning June 24, three certificates that cryptographically verify that each piece of #firmware and software that loads during system #boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the #motherboard the system runs on.
    #Microsoft #security

    arstechnica.com/security/2026/

  11. #Windows and #Linux users: The deadline to update #SecureBoot keys is near

    The clock is ticking for Windows and Linux users to update #cryptographic keys that protect their systems against firmware-based #UEFI infections, a pernicious form of #malware that loads before operating system and anti-malware protections start.

    Beginning June 24, three certificates that cryptographically verify that each piece of #firmware and software that loads during system #boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the #motherboard the system runs on.
    #Microsoft #security

    arstechnica.com/security/2026/

  12. أصدر نظام Tails تحديثه رقم 7.9، والذي يحمل تحسينات مهمة للمستخدمين. يتضمن التحديث رفع إصدار متصفح Tor إلى 15.0.16، بالإضافة إلى إضافة حزم برامج ثابتة محدثة. تهدف هذه الحزم إلى تعزيز التوافق مع الأجهزة الحديثة، خاصة مكونات الرسوميات والواي فاي، مما يضمن أداءً أفضل. كما عالج التحديث مشكلة ظهور إشعارات نادرة وخاطئة بخصوص شهادات Secure Boot القديمة، لضمان تجربة أكثر سلاسة وموثوقية للمستخدمين.

    #Tails #TorBrowser #SecureBoot

  13. Eine Frage in die große Runde:
    Es geistern im Internet Videos, Berichte, Beiträge etc. herum, dass man nach dem 24. Juni 2026 #Linux nicht mehr auf Systemen mit (U)EFI starten oder installieren kann, da an diesem Tag ein von #Microsoft herausgegebenes und verwaltetes Zertifikat abläuft. Dies hat wohl irgendwie mit #SecureBoot zu tun.
    Was ist an diesem Szenario tatsächlich dran, wie könnten die Auswirkungen sein, und falls das tatsächlich zutreffend ist, wie kann man dadurch entstehende Probleme lösen?

    #OpenSource #FOSS #DigitalFreedom #EFI #UEFI

  14. Eine Frage in die große Runde:
    Es geistern im Internet Videos, Berichte, Beiträge etc. herum, dass man nach dem 24. Juni 2026 #Linux nicht mehr auf Systemen mit (U)EFI starten oder installieren kann, da an diesem Tag ein von #Microsoft herausgegebenes und verwaltetes Zertifikat abläuft. Dies hat wohl irgendwie mit #SecureBoot zu tun.
    Was ist an diesem Szenario tatsächlich dran, wie könnten die Auswirkungen sein, und falls das tatsächlich zutreffend ist, wie kann man dadurch entstehende Probleme lösen?

    #OpenSource #FOSS #DigitalFreedom #EFI #UEFI

  15. La scadenza del certificato Secure Boot di Microsoft sta creando dubbi tra gli utenti Linux. Ecco cosa cambia davvero e quali controlli conviene effettuare sul proprio sistema. #Linux #SecureBoot #UEFI #Fedora #Ubuntu #OpenSource

    linuxeasy.org/scade-certificat

  16. La scadenza del certificato Secure Boot di Microsoft sta creando dubbi tra gli utenti Linux. Ecco cosa cambia davvero e quali controlli conviene effettuare sul proprio sistema. #Linux #SecureBoot #UEFI #Fedora #Ubuntu #OpenSource

    linuxeasy.org/scade-certificat

  17. heise+ | Ubuntus Linux-Bootloader abgespeckt: Weniger Funktionen für mehr Sicherheit

    Die Ubuntu-Entwickler planen, den Bootloader Grub zu beschneiden: Keine Grafiken mehr, kein LVM, kein RAID, kein Btrfs. Das soll Angriffswege reduzieren.

    heise.de/hintergrund/Ubuntus-L

    #IT #Journal #Linux #Microsoft #SecureBoot #Security #Ubuntu #UEFI #news

  18. heise+ | Ubuntus Linux-Bootloader abgespeckt: Weniger Funktionen für mehr Sicherheit

    Die Ubuntu-Entwickler planen, den Bootloader Grub zu beschneiden: Keine Grafiken mehr, kein LVM, kein RAID, kein Btrfs. Das soll Angriffswege reduzieren.

    heise.de/hintergrund/Ubuntus-L

    #IT #Journal #Linux #Microsoft #SecureBoot #Security #Ubuntu #UEFI #news

  19. SECURE BOOT DOOMSDAY? June 24, 2026 Microsoft Certificate Expiration Linux Exodus or Just Hype?

    Microsoft’s 2011 Secure Boot certificates expire June 24–27, 2026 (another in October). Headlines scream “Windows kills Linux!” and “The Great Exodus!” But what’s the real story?
    The Facts:

    Old keys (Microsoft KEK CA 2011 & UEFI CA 2011) are being replaced by the 2023 chain via Windows Updates and OEM firmware.
    Goal: Stronger protection against modern bootkits like BlackLotus.

    What Happens on June 24?
    Nothing dramatic. Existing Linux and Windows installs keep booting. The change mainly affects new signed components.
    For Linux/dual-boot users:

    Current setups with the old shim usually continue working.
    Future distro updates need shims signed with the new 2023 keys.

    Fixes: Update firmware/shim, or simply disable Secure Boot in BIOS (easiest for most tinkerers and home-lab setups). Major distros (Fedora, Ubuntu, Arch, Red Hat, etc.) are releasing dual-signed or updated shims.

    The “Exodus” Talk:
    It’s sparked chatter about ditching Windows, but this is certificate maintenance not a brick wall. Many already run Secure Boot disabled.

    I will add but why does Microsoft get to control the signing of the bootloader?

    Bottom Line:
    Check your status (mokutil --sb-state), keep systems updated, and review UEFI settings. For home labs/Proxmox/Arch users, now’s a good time to test.

    Have you updated your shim/firmware? Planning to disable Secure Boot? Share your setup!

    #Linux #SecureBoot #Windows #OpenSource #HomeLab

  20. PSA regarding a change in how Secure Boot will work in Fedora soon. The change isn't urgent, but it is something you should take a look at.

    If you have any questions about this, please ask in our forum. 🙏

    ➡️ fedoramagazine.org/expiration-

    Forum: discussion.fedoraproject.org/c

    #Fedora #Linux #OpenSource #Cybersecurity #InfoSec #SecureBoot