On 7/30/23 17:39, Chan Ju Ping wrote:

Or am I missing something? Is there another protection mechanism before the
disk is unlocked?

I help run a few community servers for our local makerspace here, and auto-
unlocking of encrypted drives using TPM 2.0 would allow me to remotely manage 
an encrypted filesystem setup. Since the normal procedure would be for me to 
ask someone on the other side of the island to help key in the passphrase 
every time I need to reboot the server.

I set up a few remotely managed servers by moving all of the important
data to LUKS encrypted filesystems. These filesystems aren't in /etc/fstab
so they don't get mounted after a reboot. Once rebooted I remotely
SSH in and run a script that mounts the encrypted filesystem that prompts
for the password. It then starts the appropriate daemons (Postgresql, etc)
and everything is fine. I know there's a possibility of data leakage
via /tmp and swap, but I think the risk is minimal and the servers are in
a protected space anyway. I wonder if swap and /tmp could be encrypted
this way too, it might be fun to fiddle with it someday?

So the basic idea is to set up a server so that it partially boots, but boots
far enough to set up the network and start the SSH daemon. Then, log
in remotely to finish the rest of the boot after entering the LUKS password.
Could something like this be added to the Leap install process to make it
easier to set up?

Regards,
Lew