• 13 Posts
  • 980 Comments
Joined 2 years ago
cake
Cake day: July 8th, 2023

help-circle













  • Just putting the key file somewhere does nothing. It has to be in a spot that is not encrypted and the kernel has to know where it is. Putting it on /boot or /boot/efi is one way. Putting it in the initrd is another.

    Of course, having the key out in the open defeats the purpose of encrypting the drive in the first place. Sealing it in TPM would be one solution. But still you have to tell the kernel where to find it.

    Personally my server has a ssh server in the initrd and allows me to unlock it remotely that way. I think it uses dropbear.

    There should be several tutorials for every way. No idea if there are Fedora specific ways to follow.