On 09/07/2019 03:47 AM, Carlos E. R. wrote:
Before I retired, I had a work computer that I wanted to be able to boot/reboot unattended. That means that an encryption key cannot be provided during boot. I see.
Maybe the encryption key could be downloaded via network, using initrd. Just a wild idea.
If the machine or its disks are stolen, they can not decrypt them.
That's truly an excellent idea, Carlos! Windows computers can use TPM (Trusted Platform Module) chips on the motherboard for unattended reboots, but Linux doesn't seem to support them. But even so, the TPM thing only protects encrypted disks once removed from their home computers (as I understand it). There's no protection if the whole computer is stolen. A system with an encrypted disk, if it first prompted for a local password, then tried to download a key from a pre-selected location, would be great! I have no idea if it would be possible to do this kind of thing without BIOS modifications. What would be required, and would there be risks of leaking unencrypted bits? Alternatively, maybe the decryption key could be passed with the remote reboot command? Something like grub2-once? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org