Skip to content

Plan: adopt disko + full-disk encryption (leod first) #358

Description

@etrobert-bot

Tracking issue for the "Disk encryption" todo. This can't ship as a normal
PR
— enabling LUKS on an already-installed unencrypted disk requires a
reformat/reinstall (or a risky in-place cryptsetup reencrypt), and the initrd
config can only be validated on real hardware.

Plan (full write-up + sources in ~/sync/doc/software-tools/linux/research/disk-encryption.md)

  1. Land a disko config for the machines (reproducible installs) — valuable
    even before encryption.
  2. Encrypt leod (the laptop — highest theft exposure) at its next reinstall:
    LUKS2 root, unencrypted ESP, boot.initrd.luks.devices. Passphrase, or
    TPM2 + PIN (optionally lanzaboote Secure Boot) for convenience.
  3. tower (optional, later): FDE is defensible for data-at-rest (HA history,
    secrets); if done, add remote initrd unlock (boot.initrd.network + SSH) so
    the headless box can still reboot unattended.
  4. pi: skip.

Per-machine rationale, a sample disko + LUKS layout, TPM enrollment, and the
in-place re-encrypt fallback are in the research doc above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions