Add early SSH for LUKS #30
Comments
@bd8392 is that early-ssh feature implemented to some other OS already? I'm not familiar with LUKS so it would help if we can copy solution from somewhere.
You mean basic bash colors? Those should be easy enable now as we decided to support only Debian console #9 |
They are not natively supported but there are some (a little outdated) manuals for Debian: https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/
I don't know how much effort this is, but maybe it's adding an additional argument for your os, as it would be the only one I know which supports this natevily or via cloud-init.
Yesss :-) I think it makes things a lot easier :-) |
I added this to the initial request :-). Sadly rancheros never worked with pi4 |
Target is include support for it on 2.0.0 version but it does not have ETA yet. Some summary of target platforms and versions can be found from https://github.com/burmilla/os/projects |
olljanat
changed the title
|
@bd8392 Btw can you describe a bit more about your use case for LUKS? Is it enough that everything under user docker is encrypted? |
|
The use-case would be protecting the hardware and the data on it against physical theft...a at-rest encryption of the whole system would be the optimum (including swap and ram) but I don't know any system that can provide this...sadly windows has a more secure approach than Linux here (bitlocker with secure boot) |
|
@bd8392 not even Windows encrypt RAM afaik and IMO it does not make sense to use swap on BurmillaOS as Docker will not anyway let containers to use it. However because BurmillaOS uses two level Docker runtime and SSH is actually running on console container I might works even without any code changes. You just need to have another encrypted drive/partition for user docker and configure runcmd to mount it before user docker start like it is on my config example #6 (comment) Then after reboot user docker start should fails until you unlock that drive. Can you try? |
|
I think that right way would be use LUKS + TPM 2.0 + UEFI #8 combination. Then everything else except UEFI partition which contains bootloader, kernel and initrd can be encrypted and users don't need to manually unlock server after reboot which would be nice in edge use cases. |
Hi :-) I love it that rancheros has now a community-edition to stop it from EOL :-). It is one of the best systems I've had :-). Therefore I have some very cool ideas how burmilla can become even better than rancheros was :-).
rancheros supported full disk encryption, but didn't has early-ssh to decrypt it. It would be really cool if one could configure early-ssh with the cloud config. That would make rancheros even more secure :-).
Added LVM and LUKS rancher/os#2545
a colorfull terminal would be a nice gimmick :-). Like this os:
https://blog.hypriot.com/
Support for pi4
Hope this get's integrated :-) if someone has more ideas or can offer help to the developers of this os that would be nice :-) I would be in for testing :-)
The text was updated successfully, but these errors were encountered: