[clug] How to make my server robust for booting
Paul Wayper
paulway at mabula.net
Fri Sep 13 16:27:29 UTC 2019
On 13/9/19 4:06 pm, steve jenkin via linux wrote:
>
>
>> On 12 Sep 2019, at 10:42, Tony Lewis via linux <linux at lists.samba.org> wrote:
>>
>> Thanks for the link. From that, it recommends making sure root is not hardcoded as /dev/hd0, which it isn't; it uses /dev/mapper/md1_crypt.
>>
>> So it looks like it should work in the real world. I'll try it when I get that far.
>
>
> Tony,
>
> Did I miss that on the 1st pass - that your boot partition (md1) is encrypted?
>
> I’ve never played with crypto filesystems, but they all share a common boot problem - feeding in the password(s) to unlock the keys when-ever they (cold) boot.
>
> Does grub (are you using v2 or v1?) support encrypted boot drives without intervention?
BTW, to solve booting (lots of) servers with encrypted drives and no need for
intervention, there's this neat project with two components: Clevis and Tang:
https://github.com/npmccallum/clevis
https://github.com/npmccallum/tang
Fraser Tweedale has a good introduction to the whole project at:
https://frasertweedale.github.io/blog-redhat/posts/2016-02-11-tang-tls.html
You can get it to provide any secret - LUKS password, Apache private key
password, etc. It's also capable of complicated policies like:
"Allow users to decrypt their own drives with a password, or unlock if at
least three of the five Tang servers are present on the network at time of boot".
Have fun,
Paul
More information about the linux
mailing list