The key requirements (pun intended) I have are: This seems like it should be possible, but I cannot find the right combination of keywords to get to the solution. But, I cannot find any guides or published solutions that will allow the system to boot unattended in a headless configuration. While I have a working solution I feel that I could get a small performance gain by using the hardware encryption available on the NVME disk, then I can remove the software encryption.
Along the way I have discovered the importance of Secure Boot, PCRs and MOKs. It is automatically unlocked during boot by clevis after the TPM gives the passphrase to the system. Despite this I have configured my system with an unencrypted /boot partition and a LUKS encrypted LVM for the / partition. This, to my mind, is not "Full Disk Encryption". While investigating this I have come across several guides which claim to give "Full Disk Encryption" but they using software encryption and not encrypting the /boot partition. This is not ideal as I will have to tell the customer the passphrase for them to use the system, and they will need a keyboard and monitor in order to enter the password - not ideal for a headless system. I can set a passphrase on the NVME drive, but then the system prompts me for a password when I boot. I want to protect the operating system and the proprietary data processing code that is stored on it, along with the configuration information. When in use, the system is configured and used via a web interface so the system requires only a network connection to be operational. The data will be protected while the system is powered off as the disks have encryption enabled. The NVME contains the operating system partitions (/boot, /, etc.) and there is a separate set of self-encrypting drives to hold the data that the system handles. I am running Ubuntu 20.04 with the 5.8 kernel (if that's relevant). My system has an NVME drive with OPAL 2.0 hardware encryption and a TPM 2.0 module. This is possibly more suited to another stackexchange site, so please let me know where would be better to post if I'm a little off base. I have a question relating to implementing encryption of data at rest.
0 kommentar(er)
