I had some spare time today, so I wrote it up on my website here
I had some spare time today, so I wrote it up on my website here
I don’t at the moment, because I don’t have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.
if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won’t be able to auto unlock, and will require a password.
I should write that config up somewhere as a guide.
Thinkst have also published opencanary which you can run yourself and contains a decent subset of what their hardware canaries run, including SSH and cifs.
My aim for the year of voice is to replace my google minis with something that works locally with ha, if this gets integrated that way its gonna save me reasonable amounts of money on speakers :D
I worte a guide last year on how I do network bound encryption - that is the disk will automatically decrypt at boot if it’s connected to my home network, but not if the disk or machine is removed from my house. The advantage over the dropbear method is that you can set unattended upgrades to auto reboot your server whenever it installs security updates, and it’ll come back up with no manual intervention from you.