• 0 Posts
  • 1 Comment
Joined 1Y ago
cake
Cake day: Jun 12, 2023

help-circle
rss

TPM & secure boot. Look into sbctl for secure boot if you’re not on something that uses the signed shim like ubuntu. I know some hate secure boot but storing the unlock key in tpm is at least much more secure than having the key sitting on a usb drive

Tang - network based unlock. If you have a separate raspberry pi or something you can set it up as a tang server. You’ll want that thing encrypted too, can set that up to require manual unlock so if someone boosts your servers the tang server never comes up, storage server won’t either

Or just manually unlock the server with a password every boot?

That’s roughly my prioritized/preferred list