!JQvnJacrwKgtkGHYHO:matrix.org

NixOS + Framework

225 Members
Discussing NixOS in the context of the Framework laptop50 Servers

Load older messages

SenderMessageTime
10 May 2026
@sudoforge:matrix.orgsudoforge* nice. my infra can run entirely offline (well, for anyone on prem -- of course the remote nodes can't get in if all networking is down)21:39:22
@sudoforge:matrix.orgsudoforgewhy would you do that?21:39:44
@albertlarsan68:albertlarsan.frAlbert LarsanTo unlock the machines via ssh over Tor, as they don’t all have a dedicated IPv4 (and when in initramfs they get IPv6 with SLAAC). And port forwarding isn’t always an option. And some machines are alone on their LAN21:42:28
@sudoforge:matrix.orgsudoforgeah i see. i imagine you could21:43:28
@sudoforge:matrix.orgsudoforgemaybe this will help. my remote nodes are "clients" that my infra doesn't reach out to (it's the other way around). they are designed to establish the tunnel in initramfs in order to be able to hit my tang server (which again, is just another device on the LAN basically) for unlocking; i do this with a systemd unit since i use systemd in initrd. as a fallback, these each have a unique key file stored on USBs, given to the adults in each household and instructed to keep it where they keep all of their important documents, so that they never lose it. it's comically large, and brightly colored, so it's hard to miss. this USB is automatically decrypted with on-device TPM (yes, looser PCRs) and can unlock the disks in the event that my tang server is unreachable21:55:42
@sudoforge:matrix.orgsudoforgei live about 1400km away from the bulk of these nodes21:58:55
@sudoforge:matrix.orgsudoforgeso some balance between my desire for the highest level of security and "well what if i'm unavailable" needed to be found lol21:59:37
@rajil:rajils.comtrumee

sudoforge: i enrolled the yubikey when using disko. It did not create a receovery password. How can i open the disk manually using yubikey? This fails:

root@portable ~ [1]# cryptsetup open /dev/nvme0n1p2 --fido2-device=auto cryptdisk
Usage: cryptsetup [-?VqrvyN] [-?|--help] [--usage] [-V|--version]
        [--active-name=STRING] [--align-payload=SECTORS] [--allow-discards]
        [-q|--batch-mode] [--cancel-deferred] [-c|--cipher=STRING] [--debug]
        [--debug-json] [--decrypt] [--deferred] [--device-size=bytes]
        [--disable-blkid] [--disable-external-tokens] [--disable-keyring]
        [--disable-locks] [--disable-veracrypt] [--dump-json-metadata]
        [--dump-volume-key] [--encrypt] [--external-tokens-path=STRING]
        [--force-password] [--force-offline-reencrypt] [--force-no-keyslots]
        [-h|--hash=STRING] [--header=STRING] [--header-backup-file=STRING]
        [--hotzone-size=bytes] [--hw-opal] [--hw-opal-factory-reset]
        [--hw-opal-only] [--init-only] [-I|--integrity=STRING]
        [--integrity-inline] [--integrity-key-size=BITS]
        [--integrity-legacy-padding] [--integrity-no-journal]
        [--integrity-no-wipe] [-i|--iter-time=msecs] [--iv-large-sectors]
        [--json-file=STRING] [--keep-key] [--key-description=STRING]
        [-d|--key-file=STRING] [-s|--key-size=BITS] [-S|--key-slot=INT]
        [--keyfile-offset=bytes] [-l|--keyfile-size=bytes]
        [--keyslot-cipher=STRING] [--keyslot-key-size=BITS] [--label=STRING]
        [--link-vk-to-keyring=STRING] [--luks2-keyslots-size=bytes]
        [--luks2-metadata-size=bytes] [--new-keyfile=STRING]
        [--new-keyfile-offset=bytes] [--new-keyfile-size=bytes]
        [--new-key-description=STRING] [--new-key-size=BITS]
        [--new-key-slot=INT] [--new-token-id=INT]
        [--new-volume-key-file=STRING] [--new-volume-key-keyring=STRING]
        [-o|--offset=SECTORS] [--pbkdf=STRING]
        [--pbkdf-force-iterations=LONG] [--pbkdf-memory=kilobytes]
        [--pbkdf-parallel=threads] [--perf-high_priority]
        [--perf-no_read_workqueue] [--perf-no_write_workqueue]
        [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus]
        [--persistent] [--priority=STRING] [--progress-json]
        [--progress-frequency=secs] [-r|--readonly]
        [--reduce-device-size=bytes] [--refresh] [--resilience=STRING]
        [--resilience-hash=STRING] [--resume-only] [--sector-size=INT]
        [--serialize-memory-hard-pbkdf] [--shared] [-b|--size=SECTORS]
        [-p|--skip=SECTORS] [--subsystem=STRING] [--test-args]
        [--test-passphrase] [-t|--timeout=secs] [--token-id=INT]
        [--token-only] [--token-replace] [--token-type=STRING]
        [--tcrypt-backup] [--tcrypt-hidden] [--tcrypt-system]
        [-T|--tries=INT] [-M|--type=STRING] [--unbound] [--use-random]
        [--use-urandom] [--uuid=STRING] [--veracrypt] [--veracrypt-pim=INT]
        [--veracrypt-query-pim] [-v|--verbose] [-y|--verify-passphrase]
        [--volume-key-file=STRING] [--volume-key-keyring=STRING]
        [-B|--block-size=MiB] [-N|--new] [--use-directio] [--use-fsync]
        [--write-log] [--dump-master-key] [--master-key-file=STRING]
        [OPTION...] <action> <action-specific>
--fido2-device=auto: unknown option
22:09:51
@sudoforge:matrix.orgsudoforge drop --fido2-device=auto 22:12:39
@rajil:rajils.comtrumeeIt asks for passphrase which i dont have/set.22:13:31
@rajil:rajils.comtrumeeI should have setup a recorvery key post disko run, which i didnt.22:14:07
@rajil:rajils.comtrumeeOnly the yubikey was enrolled.22:14:29
@sudoforge:matrix.orgsudoforge did you explicitly disable the recovery key? this is the content.enrollRecovery option 22:14:30
@rajil:rajils.comtrumeeyes, i disabled it.22:14:39
@rajil:rajils.comtrumeeSo there is no way to use the yubikey token to open the disk manually?22:15:24
@rajil:rajils.comtrumeeI can redo the disko, and reinstall but surprised that i need to do that22:16:03
@sudoforge:matrix.orgsudoforge
  1. luksDump to actually verify that you only have the fido2 token
  2. throw a --token-only on your cli
22:18:54
@sudoforge:matrix.orgsudoforge *
  1. luksDump to actually verify that you only have the fido2 token as a key
  2. throw a --token-only on the cryptsetup-open command
22:19:29
@sudoforge:matrix.orgsudoforge *
  1. luksDump to actually verify that you only have the fido2 token as a key
  2. throw a --token-only on the cryptsetup-open command; this tells cryptsetup to not ask for a passphrase and instead use tokens
22:20:06
@sudoforge:matrix.orgsudoforge *
  1. luksDump to actually verify that you only have the fido2 token as a key
  2. throw a --token-only on the cryptsetup-open command; this tells cryptsetup to not ask for a passphrase and instead use enrolled tokens
22:20:16
@sudoforge:matrix.orgsudoforge and 3. you should probably set content.enrollRecovery = true; 22:22:22
@sudoforge:matrix.orgsudoforge * and 3. you should probably set content.enrollRecovery = true; (doing this will require formatting your disk if you want disko to apply it, but you can also just manually add a recovery passphrase) 22:23:01
@rajil:rajils.comtrumeeyes, i changed in disko. And doing a reinstall.22:26:48
@rajil:rajils.comtrumee do i need boot.loader.systemd-boot.enable = true; for fido2 support? 22:30:40
@sudoforge:matrix.orgsudoforgeuh, i've been using systemd-boot as my bootloader for far too long22:32:33
@sudoforge:matrix.orgsudoforgeso22:32:35
@sudoforge:matrix.orgsudoforgei have no idea if grub (or whatever else you're using currently?) supports fido2 devices for unlocking encrypted volumes22:33:02
@rajil:rajils.comtrumeeok, i will enable it. i am not using grub22:34:56
@sudoforge:matrix.orgsudoforgeyou'll want to explicitly disable grub then22:35:07
@sudoforge:matrix.orgsudoforge boot.loader.grub.enable = lib.mkForce false; 22:35:21

Show newer messages

Back to Room ListRoom Version: 10