Tracking issue for the "Disk encryption" todo. This can't ship as a normal
PR — enabling LUKS on an already-installed unencrypted disk requires a
reformat/reinstall (or a risky in-place cryptsetup reencrypt), and the initrd
config can only be validated on real hardware.
Plan (full write-up + sources in ~/sync/doc/software-tools/linux/research/disk-encryption.md)
- Land a
disko config for the machines (reproducible installs) — valuable
even before encryption.
- Encrypt leod (the laptop — highest theft exposure) at its next reinstall:
LUKS2 root, unencrypted ESP, boot.initrd.luks.devices. Passphrase, or
TPM2 + PIN (optionally lanzaboote Secure Boot) for convenience.
- tower (optional, later): FDE is defensible for data-at-rest (HA history,
secrets); if done, add remote initrd unlock (boot.initrd.network + SSH) so
the headless box can still reboot unattended.
- pi: skip.
Per-machine rationale, a sample disko + LUKS layout, TPM enrollment, and the
in-place re-encrypt fallback are in the research doc above.
Tracking issue for the "Disk encryption" todo. This can't ship as a normal
PR — enabling LUKS on an already-installed unencrypted disk requires a
reformat/reinstall (or a risky in-place
cryptsetup reencrypt), and the initrdconfig can only be validated on real hardware.
Plan (full write-up + sources in
~/sync/doc/software-tools/linux/research/disk-encryption.md)diskoconfig for the machines (reproducible installs) — valuableeven before encryption.
LUKS2 root, unencrypted ESP,
boot.initrd.luks.devices. Passphrase, orTPM2 + PIN (optionally
lanzabooteSecure Boot) for convenience.secrets); if done, add remote initrd unlock (
boot.initrd.network+ SSH) sothe headless box can still reboot unattended.
Per-machine rationale, a sample disko + LUKS layout, TPM enrollment, and the
in-place re-encrypt fallback are in the research doc above.