| 10 May 2026 |
 sudoforge | i didn't see encryption configuration in the config you shared earlier. did i miss it? | 21:01:38 |
| sudoforge | oh, so i did | 21:01:51 |
| sudoforge | oops | 21:01:51 |
 Albert Larsan | There is luks, but with default-iish configs | 21:02:10 |
| sudoforge | yeah, which will just ask for a passphrase | 21:02:24 |
| sudoforge | i'm tracking now | 21:02:32 |
| sudoforge | trumee the fido2 support landed 3 weeks ago, and unfortunately a release hasn't been cut yet | 21:03:18 |
| sudoforge | which is why "latest" didn't work for you | 21:03:25 |
| Albert Larsan | Even the second disk is crypted. I would have loved to make a key file work, but despite trying for a week I couldn’t, so it also has a passphrase and unlocks from tpmk | 21:03:35 |
| sudoforge | in multi-disk systems i just use the same passphrase | 21:03:54 |
| sudoforge | cryptsetup caches it when unlocking, so, it's not too painful if i ever do need to manually enter it | 21:04:24 |
| sudoforge | * in multi-disk systems i just use the same passphrase for all of the disks | 21:04:44 |
| Albert Larsan | It is the same passphrase, but it must boot automatically, without passphrases. | 21:05:07 |
| sudoforge | yep | 21:05:24 |
| sudoforge | for that, i use clevis + tang | 21:05:29 |
| Albert Larsan | And I use not enough PCRs on my TPM. | 21:19:19 |
| sudoforge | :( | 21:24:56 |
| sudoforge | PCRs that are a little looser for a server make a certain sense, but | 21:27:27 |
| sudoforge | i would strongly encourage you to research clevis+tang and move to that | 21:27:39 |
| Albert Larsan | I am really unsure of which ones to use with lanzaboote | 21:27:46 |
| Albert Larsan | My servers are in multiple locations, with independant internet accesses | 21:28:08 |
| sudoforge | my servers are all onprem (in a rack in my home). my tang server is my laptop | 21:28:54 |
| Albert Larsan | So they all are on a single LAN | 21:29:44 |
| sudoforge | i'm always able to have my laptop "on the network" even when i'm traveling, so even if a machine goes down and needs to reboot, i can start the tang server (this is ephemeral by design; it is not always available) and voila, the servers can decrypt the disks | 21:29:52 |
| Albert Larsan | Mine are across 4 LANs, with ISP-provided routers. | 21:30:36 |
| sudoforge | and yep, all my servers are in a single LAN | 21:30:45 |
| sudoforge | interesting - family homes? | 21:30:49 |
| sudoforge | i'm "netflix" for my family, and have a small node with some storage that acts as a pull-through cache to my storage cluster (ceph) via a persistent wg tunnel | 21:31:38 |
| sudoforge | so, even those remote nodes are "on the LAN" | 21:31:45 |
| Albert Larsan | My home, my grandparents’ home, and a school/work server room (this one I can touch the router, and I might grab a free IPv4 for the laptop there) | 21:32:11 |
