#secure-boot — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #secure-boot, aggregated by home.social.
-
Unlocking Fully Encrypted Servers over Tor
Remote servers should not have to choose between security and availability.
For years, the common compromise has been to expose SSH to the public Internet or to rely on VPNs and provider-specific KVM consoles whenever a LUKS-encrypted server reboots.
I believe there is a better approach.
By combining LUKS, Tor Onion Services, and a lightweight SSH server running directly inside the initramfs, it is possible to build servers that remain fully encrypted at rest, yet can always be unlocked remotely without exposing any public management interface.
This article describes the concept and how it could evolve into a reusable feature for Infinito.Nexus.
The Problem
Full disk encryption protects data when a server is powered off.
However, after every reboot someone must enter the LUKS passphrase.
For remote dedicated servers this usually means one of the following:
- opening SSH to the Internet
- connecting through a VPN
- using a provider’s KVM/IPMI console
- booting into a rescue system
While remote unlocking via Dropbear inside the initramfs is already a well-known solution, it still typically relies on a publicly reachable IP address.
The Idea
Instead of exposing SSH publicly, start Tor directly inside the initramfs.
The boot sequence would look like this:
Server boots
│
▼
Kernel + initramfs
│
▼
Network initialization
│
▼
Tor starts
│
▼
Temporary Onion Service appears
unlock-xxxxxxxx.onion
│
▼
SSH via Tor
│
▼
cryptsetup luksOpen
│
▼
Root filesystem unlocked
│
▼
Operating system boots
│
▼
Temporary Onion Service disappearsThe administrator simply connects through Tor:
torsocks ssh [email protected]After entering the LUKS passphrase, the operating system continues booting normally.
Separate Identities for Boot and Runtime
One of the strongest aspects of this design is that boot-time and runtime use different Onion identities.
Boot environment
- dedicated Ed25519 key
- dedicated Onion address
- only SSH
- exists only during boot
Example:
unlock-xxxxxxxx.onionRuntime environment
Once the operating system has booted:
- the initramfs exits
- Tor inside initramfs stops
- a new Tor instance starts
- completely different Onion addresses become available
For example:
ssh-xxxxxxxx.onion
cloud-xxxxxxxx.onion
matrix-xxxxxxxx.onion
mail-xxxxxxxx.onionThe unlock address simply disappears.
This cleanly separates the trust boundaries between the bootloader environment and the running operating system.
Why Tor?
Using Tor instead of exposing SSH directly provides several advantages:
- no public IP address required
- no exposed SSH port
- no VPN infrastructure
- works behind NAT or Carrier-Grade NAT
- management interface is only reachable through the Tor network
- additional network privacy
- ideal for self-hosted infrastructure
This is particularly attractive for servers hosted in data centers where administrators rarely have physical access.
What Happens After a Crash?
Whenever the server reboots:
- the initramfs starts
- networking is initialized
- Tor publishes the temporary Onion Service
- you connect via SSH
- you unlock LUKS
- the server continues booting
No KVM console.
No VPN.
No public SSH endpoint.
Only Tor.
Of course, catastrophic failures such as a broken initramfs or missing network drivers still require traditional recovery methods such as a rescue system or KVM.
Existing Building Blocks
Most of the required components already exist today.
My repository hetzner-arch-luks demonstrates how to deploy Arch Linux with full disk encryption on Hetzner servers and configure remote unlocking via SSH during the initramfs stage.
Repository:
https://github.com/kevinveenbirkenbach/hetzner-arch-luks
Another project, linux-image-manager, automates the creation and customization of Linux images and could serve as the foundation for embedding Tor, Dropbear/TinySSH, and the required initramfs configuration into reusable images.
Repository:
https://github.com/kevinveenbirkenbach/linux-image-manager
Together, these repositories provide much of the groundwork required for a fully automated implementation.
Future Integration into Infinito.Nexus
I envision this becoming a native feature of Infinito.Nexus.
Provisioning a server could automatically:
- install Arch Linux
- configure LUKS full disk encryption
- generate an initramfs containing:
- Tor
- Dropbear or TinySSH
- cryptsetup
- create a dedicated boot-time Onion Service
- automatically switch to permanent runtime Onion Services after successful boot
From the administrator’s perspective, recovering a rebooted server would be as simple as:
torsocks ssh root@unlock-<hostname>.onionEnter the passphrase.
The server continues booting.
Nothing is ever exposed to the public Internet.
Looking Ahead
This concept combines three mature technologies:
- LUKS
- Tor Onion Services
- Remote initramfs unlocking
While each technology already exists independently, integrating them into a seamless provisioning workflow could significantly improve the security and usability of encrypted self-hosted infrastructure.
For projects focused on digital sovereignty and privacy, removing the need for publicly exposed management interfaces is a natural next step.
#ArchLinux #cryptsetup #Cybersecurity #DevOps #DigitalSovereignty #DiskEncryption #Dropbear #FullDiskEncryption #Hetzner #InfinitoNexus #InfrastructureAsCode #initramfs #Linux #LinuxSecurity #LUKS #OnionServices #OpenSource #Privacy #RemoteLUKSUnlock #RemoteServerManagement #RemoteUnlock #SecureBoot #SelfHostedInfrastructure #SelfHosting #ServerSecurity #SSHOverTor #TinySSH #Tor #TorHiddenServices -
Microsoft UEFI CA rotation: is it safe to update from 2011 to 2023? #updates #uefi #secureboot #microsoft
-
Microsoft UEFI CA rotation: is it safe to update from 2011 to 2023? #updates #uefi #secureboot #microsoft
-
how to enable the f2 and f12 keys #uefi #grubefi #secureboot
-
how to enable the f2 and f12 keys #uefi #grubefi #secureboot
-
Mittwoch: Apple wegen Epic vor US-Höchstgericht, Aus für Frankreichs Paketsteuer
Prüfung auf Apples Gerichte-Missachtung + Zoll auf Chinas Mini-Pakete wirkungslos + Telemedizin auch mit Apotheken + KI-Agenten als AWS-Strategie + Bit-Rauschen
#AmazonWebServices #DigitalHealth #Digitalisierung #eCommerce #EpicvsApple #hoDaily #Journal #KünstlicheIntelligenz #SecureBoot #Versandhandel #Wettbewerbsrecht #Windows #news
-
Mittwoch: Apple wegen Epic vor US-Höchstgericht, Aus für Frankreichs Paketsteuer
Prüfung auf Apples Gerichte-Missachtung + Zoll auf Chinas Mini-Pakete wirkungslos + Telemedizin auch mit Apotheken + KI-Agenten als AWS-Strategie + Bit-Rauschen
#AmazonWebServices #DigitalHealth #Digitalisierung #eCommerce #EpicvsApple #hoDaily #Journal #KünstlicheIntelligenz #SecureBoot #Versandhandel #Wettbewerbsrecht #Windows #news
-
Bit-Rauschen, der Prozessor-Podcast: Das Secure-Boot-Problem von Windows 11
Microsoft werkelt an der Schutzfunktionen UEFI Secure Boot herum, sodass manche Rechner nicht mehr starten: Folge 2025/13 des Podcasts Bit-Rauschen.
-
Bit-Rauschen, der Prozessor-Podcast: Das Secure-Boot-Problem von Windows 11
Microsoft werkelt an der Schutzfunktionen UEFI Secure Boot herum, sodass manche Rechner nicht mehr starten: Folge 2025/13 des Podcasts Bit-Rauschen.
-
#SecureBoot: Zertifikatablauf steht an, #Microsoft gibt weitere Hilfestellung | Security https://www.heise.de/news/Secure-Boot-Zertifikate-Ablauf-startet-weitere-Handreichungen-von-Microsoft-11341007.html
-
#SecureBoot: Zertifikatablauf steht an, #Microsoft gibt weitere Hilfestellung | Security https://www.heise.de/news/Secure-Boot-Zertifikate-Ablauf-startet-weitere-Handreichungen-von-Microsoft-11341007.html
-
Ventoy 1.1.14 aktualisiert Unterstützung für Secure Boot
https://linuxnews.de/ventoy-1-1-14-aktualisiert-unterstuetzung-fuer-secure-boot/ #ventoy #secureboot #shim #linux #linuxnews -
Ventoy 1.1.14 aktualisiert Unterstützung für Secure Boot
https://linuxnews.de/ventoy-1-1-14-aktualisiert-unterstuetzung-fuer-secure-boot/ #ventoy #secureboot #shim #linux #linuxnews -
Because I am a slacker, I didn't really think much about it. I ran a #powershell command to check that I had the new certificates, and it came back "True"...so...golden, right? Ooooooh, but no.
(Powershell command to check cert: run it as an Administrator, and type
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If True, you have updated certs. )
But...just because you have new certificates DOES NOT MEAN THEY ARE INSTALLED.
The second thing to check is the “default db,” which shows whether the new #SecureBoot certificates are baked into your PC’s firmware.
#PowerShell command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')If this command returns “true,” your system is running an updated BIOS with the new Secure Boot certificates built in. Older PCs and systems without a #BIOS update installed will return “false” here.
2/
-
Because I am a slacker, I didn't really think much about it. I ran a #powershell command to check that I had the new certificates, and it came back "True"...so...golden, right? Ooooooh, but no.
(Powershell command to check cert: run it as an Administrator, and type
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If True, you have updated certs. )
But...just because you have new certificates DOES NOT MEAN THEY ARE INSTALLED.
The second thing to check is the “default db,” which shows whether the new #SecureBoot certificates are baked into your PC’s firmware.
#PowerShell command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')If this command returns “true,” your system is running an updated BIOS with the new Secure Boot certificates built in. Older PCs and systems without a #BIOS update installed will return “false” here.
2/
-
Ok, I recognize that since starting HRT, I have reclaimed Bitch Mode, (estrogen, my old friend, how I've missed you), and I am crankier than advertised. So, perhaps my morning of aggravation is not so severe that it requires me to call in tactical airstrikes on #Dell and #Microsoft...but it just might.
Back in 2011, #UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup was added to #Windows. It became a formal system requirement for installing Windows starting with Windows 11 in 2021.
#SecureBoot has relied on the same security certificates to verify bootloaders since 2011. But those original certificates are set to expire today, 06/24/2026.
1/
-
Ok, I recognize that since starting HRT, I have reclaimed Bitch Mode, (estrogen, my old friend, how I've missed you), and I am crankier than advertised. So, perhaps my morning of aggravation is not so severe that it requires me to call in tactical airstrikes on #Dell and #Microsoft...but it just might.
Back in 2011, #UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup was added to #Windows. It became a formal system requirement for installing Windows starting with Windows 11 in 2021.
#SecureBoot has relied on the same security certificates to verify bootloaders since 2011. But those original certificates are set to expire today, 06/24/2026.
1/
-
Microsoft Handreichungen #SecureBoot #Zertifikate wechseln für #Linux auf #Azure #VMs
-
Microsoft Handreichungen #SecureBoot #Zertifikate wechseln für #Linux auf #Azure #VMs
-
Erfahrungen mit dem Austausch von #SecureBoot #Zertifikaten, die ab heute ablaufen #Linux #Windows
-
Erfahrungen mit dem Austausch von #SecureBoot #Zertifikaten, die ab heute ablaufen #Linux #Windows
-
Ich nutze das neue (gebrauchte) #T570 aktuell für Tests von $Dingen, die ich mir auf meinen sonstigen Systemen (noch) nicht traue. Schön ist, das es halbwegs aktuelle #Hardware ist.
Aktuell teste ich die Absicherung der Boot-Chain und die Verschlüsselung der Systempartition mit #LUKS + #clevis + #systemd + #TPM2 + #SecureBoot.
Ich habe lange über die Sinnhaftigkeit gezweifelt, aber mittlerweile verstehe ich das Konzept etwas besser. Praxiserfahrung hilft mir da enorm.
Aktuell habe ich die Kombination einer 6-stelligen PIN mit dem TPM2 des #Notebooks, um die Partition zu entschlüsseln. Da erscheint mir momentan ein ausreichender Kompromis zwischen Sicherheit und Nutzbarkeit.
Jetzt schaue ich mal, wie sich das mittelfristig im Betrieb schlägt. Vor allem, ob es zu Fehlern bei Upgrades kommt, die mir potentiell den Zugriff auf das System kaputt machen könnten.
-
Ich nutze das neue (gebrauchte) #T570 aktuell für Tests von $Dingen, die ich mir auf meinen sonstigen Systemen (noch) nicht traue. Schön ist, das es halbwegs aktuelle #Hardware ist.
Aktuell teste ich die Absicherung der Boot-Chain und die Verschlüsselung der Systempartition mit #LUKS + #clevis + #systemd + #TPM2 + #SecureBoot.
Ich habe lange über die Sinnhaftigkeit gezweifelt, aber mittlerweile verstehe ich das Konzept etwas besser. Praxiserfahrung hilft mir da enorm.
Aktuell habe ich die Kombination einer 6-stelligen PIN mit dem TPM2 des #Notebooks, um die Partition zu entschlüsseln. Da erscheint mir momentan ein ausreichender Kompromis zwischen Sicherheit und Nutzbarkeit.
Jetzt schaue ich mal, wie sich das mittelfristig im Betrieb schlägt. Vor allem, ob es zu Fehlern bei Upgrades kommt, die mir potentiell den Zugriff auf das System kaputt machen könnten.
-
Secure Boot Certificates: Expiration Begins, Further Guidance from Microsoft
The first Secure Boot certificates are expiring these days. Microsoft is providing further guidance for Linux on Azure VMs.
#MicrosoftAzure #IT #Linux #Microsoft #SecureBoot #Security #Updates #Windows #news
-
Secure Boot Certificates: Expiration Begins, Further Guidance from Microsoft
The first Secure Boot certificates are expiring these days. Microsoft is providing further guidance for Linux on Azure VMs.
#MicrosoftAzure #IT #Linux #Microsoft #SecureBoot #Security #Updates #Windows #news
-
Secure-Boot-Zertifikate: Ablauf startet, weitere Handreichungen von Microsoft
Die ersten Secure-Boot-Zertifikate laufen in diesen Tagen ab. Microsoft legt noch mal Handreichungen nach, für Linux auf Azure-VMs.
#MicrosoftAzure #IT #Linux #Microsoft #SecureBoot #Security #Updates #Windows #news
-
Secure-Boot-Zertifikate: Ablauf startet, weitere Handreichungen von Microsoft
Die ersten Secure-Boot-Zertifikate laufen in diesen Tagen ab. Microsoft legt noch mal Handreichungen nach, für Linux auf Azure-VMs.
#MicrosoftAzure #IT #Linux #Microsoft #SecureBoot #Security #Updates #Windows #news
-
Linux and Secure Boot certificate expiration
https://lwn.net/Articles/1029767/
#HackerNews #Linux #SecureBoot #CertificateExpiration #Cybersecurity #OpenSource #TechNews
-
Linux and Secure Boot certificate expiration
https://lwn.net/Articles/1029767/
#HackerNews #Linux #SecureBoot #CertificateExpiration #Cybersecurity #OpenSource #TechNews
-
#Windows and #Linux users: The deadline to update #SecureBoot keys is near
The clock is ticking for Windows and Linux users to update #cryptographic keys that protect their systems against firmware-based #UEFI infections, a pernicious form of #malware that loads before operating system and anti-malware protections start.
Beginning June 24, three certificates that cryptographically verify that each piece of #firmware and software that loads during system #boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the #motherboard the system runs on.
#Microsoft #security -
#Windows and #Linux users: The deadline to update #SecureBoot keys is near
The clock is ticking for Windows and Linux users to update #cryptographic keys that protect their systems against firmware-based #UEFI infections, a pernicious form of #malware that loads before operating system and anti-malware protections start.
Beginning June 24, three certificates that cryptographically verify that each piece of #firmware and software that loads during system #boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the #motherboard the system runs on.
#Microsoft #security -
#Windows and #Linux users: The deadline to update #SecureBoot keys is near
-
#Windows and #Linux users: The deadline to update #SecureBoot keys is near
-
أصدر نظام Tails تحديثه رقم 7.9، والذي يحمل تحسينات مهمة للمستخدمين. يتضمن التحديث رفع إصدار متصفح Tor إلى 15.0.16، بالإضافة إلى إضافة حزم برامج ثابتة محدثة. تهدف هذه الحزم إلى تعزيز التوافق مع الأجهزة الحديثة، خاصة مكونات الرسوميات والواي فاي، مما يضمن أداءً أفضل. كما عالج التحديث مشكلة ظهور إشعارات نادرة وخاطئة بخصوص شهادات Secure Boot القديمة، لضمان تجربة أكثر سلاسة وموثوقية للمستخدمين.
-
Eine Frage in die große Runde:
Es geistern im Internet Videos, Berichte, Beiträge etc. herum, dass man nach dem 24. Juni 2026 #Linux nicht mehr auf Systemen mit (U)EFI starten oder installieren kann, da an diesem Tag ein von #Microsoft herausgegebenes und verwaltetes Zertifikat abläuft. Dies hat wohl irgendwie mit #SecureBoot zu tun.
Was ist an diesem Szenario tatsächlich dran, wie könnten die Auswirkungen sein, und falls das tatsächlich zutreffend ist, wie kann man dadurch entstehende Probleme lösen? -
Eine Frage in die große Runde:
Es geistern im Internet Videos, Berichte, Beiträge etc. herum, dass man nach dem 24. Juni 2026 #Linux nicht mehr auf Systemen mit (U)EFI starten oder installieren kann, da an diesem Tag ein von #Microsoft herausgegebenes und verwaltetes Zertifikat abläuft. Dies hat wohl irgendwie mit #SecureBoot zu tun.
Was ist an diesem Szenario tatsächlich dran, wie könnten die Auswirkungen sein, und falls das tatsächlich zutreffend ist, wie kann man dadurch entstehende Probleme lösen? -
La scadenza del certificato Secure Boot di Microsoft sta creando dubbi tra gli utenti Linux. Ecco cosa cambia davvero e quali controlli conviene effettuare sul proprio sistema. #Linux #SecureBoot #UEFI #Fedora #Ubuntu #OpenSource
-
La scadenza del certificato Secure Boot di Microsoft sta creando dubbi tra gli utenti Linux. Ecco cosa cambia davvero e quali controlli conviene effettuare sul proprio sistema. #Linux #SecureBoot #UEFI #Fedora #Ubuntu #OpenSource
-
heise+ | Ubuntus Linux-Bootloader abgespeckt: Weniger Funktionen für mehr Sicherheit
Die Ubuntu-Entwickler planen, den Bootloader Grub zu beschneiden: Keine Grafiken mehr, kein LVM, kein RAID, kein Btrfs. Das soll Angriffswege reduzieren.
#IT #Journal #Linux #Microsoft #SecureBoot #Security #Ubuntu #UEFI #news
-
heise+ | Ubuntus Linux-Bootloader abgespeckt: Weniger Funktionen für mehr Sicherheit
Die Ubuntu-Entwickler planen, den Bootloader Grub zu beschneiden: Keine Grafiken mehr, kein LVM, kein RAID, kein Btrfs. Das soll Angriffswege reduzieren.
#IT #Journal #Linux #Microsoft #SecureBoot #Security #Ubuntu #UEFI #news
-
SECURE BOOT DOOMSDAY? June 24, 2026 Microsoft Certificate Expiration Linux Exodus or Just Hype?
Microsoft’s 2011 Secure Boot certificates expire June 24–27, 2026 (another in October). Headlines scream “Windows kills Linux!” and “The Great Exodus!” But what’s the real story?
The Facts:Old keys (Microsoft KEK CA 2011 & UEFI CA 2011) are being replaced by the 2023 chain via Windows Updates and OEM firmware.
Goal: Stronger protection against modern bootkits like BlackLotus.What Happens on June 24?
Nothing dramatic. Existing Linux and Windows installs keep booting. The change mainly affects new signed components.
For Linux/dual-boot users:Current setups with the old shim usually continue working.
Future distro updates need shims signed with the new 2023 keys.Fixes: Update firmware/shim, or simply disable Secure Boot in BIOS (easiest for most tinkerers and home-lab setups). Major distros (Fedora, Ubuntu, Arch, Red Hat, etc.) are releasing dual-signed or updated shims.
The “Exodus” Talk:
It’s sparked chatter about ditching Windows, but this is certificate maintenance not a brick wall. Many already run Secure Boot disabled.I will add but why does Microsoft get to control the signing of the bootloader?
Bottom Line:
Check your status (mokutil --sb-state), keep systems updated, and review UEFI settings. For home labs/Proxmox/Arch users, now’s a good time to test.Have you updated your shim/firmware? Planning to disable Secure Boot? Share your setup!
-
What you need to know about the #Microsoft #SecureBoot certificate expiration
https://fedoramagazine.org/expiration-of-microsoft-secure-boot-keys/
-
PSA regarding a change in how Secure Boot will work in Fedora soon. The change isn't urgent, but it is something you should take a look at.
If you have any questions about this, please ask in our forum. 🙏
➡️ https://fedoramagazine.org/expiration-of-microsoft-secure-boot-keys/
Forum: https://discussion.fedoraproject.org/c/ask/6
#Fedora #Linux #OpenSource #Cybersecurity #InfoSec #SecureBoot