Rebooting a LUKS Encrypted System Without Typing The Passphrase: https://mckinley.cc/blog/20230526.html

@mckinley@twtxt.net That’s an interesting article, mate!

@mckinley@twtxt.net Interesting. For a moment, I thought about using that for our servers at work, but mh, I’d rather not. It’s fine for stuff at home, as you said.

(The way the text is written, you might think that you can specify expiry dates for key slots, because of that “it’s only valid for 30 seconds”. Then I realized that doesn’t make any sense. 😅)

@movq@www.uninformativ.de I get it. I wouldn’t set this up for anyone else. Systems that are on all the time don’t benefit as much from at-rest encryption, anyway. This is definitely an interesting solution, however, and it has worked well for me in the past 1-2 weeks. We’ll see how it goes in 1-2 years.

@movq@www.uninformativ.de I reworked the paragraph about security and improved that sentence. Hopefully it’s a little more clear.

However, the key on the unencrypted partition is only valid for the time it takes to reboot, assuming we reboot as soon as the script completes.

@mckinley@twtxt.net Yeah, that’s more clear. 👌

Systems that are on all the time don’t benefit as much from at-rest encryption, anyway.

Right, especially not if it’s “cloud storage”. 😅 (We’re only doing it on our backup servers, which are “real” hardware.)