algernon ludd on Nostr: I had a crazy idea. I have two servers, one small VPS at Hetzner (Eru), and another ...
I had a crazy idea.
I have two servers, one small VPS at Hetzner (Eru), and another in my room, on the shelf (Quickbeam). Both have their filesystems encrypted, both have network enabled in their initrd, to be able to log in remotely and input the password.
Eventually, I want to automate this, in a reasonably secure way, without storing the secret on the machine itself (storing it on another is acceptable). I plan to use Tang + Clevis for this. Eru provides a WireGuard server, I can connect to WireGuard from initrd, so Quickbeam can do it over WireGuard fine.
That takes care of unlocking Quickbeam. But how do I automate unlocking Eru?
So this is where the crazy idea comes in: what if I had a different WireGuard network, with Quickbeam as its server? And Quickbeam would have Tang too. So when Eru boots, it could WG with Quickbeam, and use Clevis + Tang to unlock its own disk. The Quickbeam WG would not be used for anything else.
For the case where both are booting, well, manual intervention will be needed there. SSH on an accessible IP in that case will do.
This is shaping up to be a fun little project.... at some point in the future. I have other things to do.
I have two servers, one small VPS at Hetzner (Eru), and another in my room, on the shelf (Quickbeam). Both have their filesystems encrypted, both have network enabled in their initrd, to be able to log in remotely and input the password.
Eventually, I want to automate this, in a reasonably secure way, without storing the secret on the machine itself (storing it on another is acceptable). I plan to use Tang + Clevis for this. Eru provides a WireGuard server, I can connect to WireGuard from initrd, so Quickbeam can do it over WireGuard fine.
That takes care of unlocking Quickbeam. But how do I automate unlocking Eru?
So this is where the crazy idea comes in: what if I had a different WireGuard network, with Quickbeam as its server? And Quickbeam would have Tang too. So when Eru boots, it could WG with Quickbeam, and use Clevis + Tang to unlock its own disk. The Quickbeam WG would not be used for anything else.
For the case where both are booting, well, manual intervention will be needed there. SSH on an accessible IP in that case will do.
This is shaping up to be a fun little project.... at some point in the future. I have other things to do.