• 0 posts
  • 3 comments
Joined 3 years ago
Cake day: June 12th, 2023
  • Sorry, I think my reading comprehension was shit there… I got fixated on rescue usb not seeing the disk.

    No, I wouldn’t expect it to be a bad port if grub is loading (and the grub partition is on the same disk). Bios not booting at all with disk removed is strange too, I’d expect it to just boot the usb if that were plugged in while disk is not.

    You said usb rescue lsblk doesn’t list the disk, guessing it doesn’t show up under /dev/disk/by-id either? lspci? How about with a windows install usb, does it see the disk?

  • I used to use them, yes. It’s a pretty solid setup, especially like you say, if the tang server itself requires you enter a password to unlock.

    A while ago I moved to tpm and secureboot to auto-unlock my servers on boot. It’s definitely slightly less secure, tpm vulnerabilities or a severe enough vulnerability in one of the network services on the machine and a hacker could get into them. But it’s quite a bit more secure than storing the unlock key on usb, and requires at least some degree of hacking skill to break in.

    sbctl makes the process of signing boot files pretty easy, systems-cryptenroll for setting up tpm auto-unlock