Clevis/Tang: Network-bound Disk Encryption via WireGuard? #6
Comments
denji
changed the title
r-pufky
added
enhancement
|
I've never used tang/clevis -- pretty neat. I'll have to look into each to see if there are specific changes required for wireguard-initramfs support. I'm very much inclined to keep this module singularly focused and do it well; but open to changes if it's required to get these tools working. |
|
There is nothing to do, it works flawless for the case:
Instead it could be useful to store the private wireguard key into the TPM, which get only unsealed if the secure boot chain is valid. I would consider the wireguard-initramfs more as an overlay to handle specific maintenance task in a specific net and not really as a security enhancement (problem: keeping the private key private). In combination with the initramfs-dropbear ssh-server you get a neat fallback troubleshooting solution, if something went wrong with clevis/tang. And due the pre-shared-key handling in the initramfs-dropbear solution you get a trust bonding which is safe, as long as you can keep your private ssh client key safe. clevis can be configured to use the TPM as a client key storage, which should be limited to a verified secure boot chain. But there is no need for an additional protection layer. |
It might be a good idea to implement clevis/tang UEFI hook
with secure bootingvia WireGuard?The text was updated successfully, but these errors were encountered: