| 10 May 2026 |
 Albert Larsan | And I use not enough PCRs on my TPM. | 21:19:19 |
 sudoforge | :( | 21:24:56 |
| sudoforge | PCRs that are a little looser for a server make a certain sense, but | 21:27:27 |
| sudoforge | i would strongly encourage you to research clevis+tang and move to that | 21:27:39 |
| Albert Larsan | I am really unsure of which ones to use with lanzaboote | 21:27:46 |
| Albert Larsan | My servers are in multiple locations, with independant internet accesses | 21:28:08 |
| sudoforge | my servers are all onprem (in a rack in my home). my tang server is my laptop | 21:28:54 |
| Albert Larsan | So they all are on a single LAN | 21:29:44 |
| sudoforge | i'm always able to have my laptop "on the network" even when i'm traveling, so even if a machine goes down and needs to reboot, i can start the tang server (this is ephemeral by design; it is not always available) and voila, the servers can decrypt the disks | 21:29:52 |
| Albert Larsan | Mine are across 4 LANs, with ISP-provided routers. | 21:30:36 |
| sudoforge | and yep, all my servers are in a single LAN | 21:30:45 |
| sudoforge | interesting - family homes? | 21:30:49 |
| sudoforge | i'm "netflix" for my family, and have a small node with some storage that acts as a pull-through cache to my storage cluster (ceph) via a persistent wg tunnel | 21:31:38 |
| sudoforge | so, even those remote nodes are "on the LAN" | 21:31:45 |
| Albert Larsan | My home, my grandparents’ home, and a school/work server room (this one I can touch the router, and I might grab a free IPv4 for the laptop there) | 21:32:11 |
| sudoforge | * i'm "netflix" for my family, and have a small node with some storage at each of their homes that acts as a pull-through cache to my storage cluster (ceph) via a persistent wg tunnel | 21:32:16 |
| Albert Larsan | But your wg tunnel works even when the disks are crypted? | 21:32:38 |
| sudoforge | yes, it's the one thing that is always up and available | 21:32:55 |
| Albert Larsan | So each machine has the wg secret in the initramfs? Or is it protected some other way? | 21:33:48 |
| sudoforge | my wg relay runs on dedicated hardware, distributed across currently 8 intel NUCs (they are all replicas of each other) in an HA topology, with independent power backup. i have fiber to the house, cellular backup, and optionally satellite that i can enable if i need to | 21:35:32 |
| Albert Larsan | Alright. I have FTTH and Ethernet from my laptops to the ISP router, with backup of wifi if ethernet is disconnected.
I can have some of the routers act as openvpn servers, with a bridged mode to access the lan. | 21:37:07 |
| sudoforge | nice. my infra can run entirely offline | 21:38:28 |
| sudoforge | key things (e.g. the wg relay) are actually available as hidden services on the onion network too | 21:38:42 |
| Albert Larsan | Would it be a good idea to launch Tor in initramfs? | 21:39:22 |
| sudoforge | * nice. my infra can run entirely offline (well, for anyone on prem -- of course the remote nodes can't get in if all networking is down) | 21:39:22 |
| sudoforge | why would you do that? | 21:39:44 |
| Albert Larsan | To unlock the machines via ssh over Tor, as they don’t all have a dedicated IPv4 (and when in initramfs they get IPv6 with SLAAC). And port forwarding isn’t always an option. And some machines are alone on their LAN | 21:42:28 |
| sudoforge | ah i see. i imagine you could | 21:43:28 |
| sudoforge | maybe this will help. my remote nodes are "clients" that my infra doesn't reach out to (it's the other way around). they are designed to establish the tunnel in initramfs in order to be able to hit my tang server (which again, is just another device on the LAN basically) for unlocking; i do this with a systemd unit since i use systemd in initrd. as a fallback, these each have a unique key file stored on USBs, given to the adults in each household and instructed to keep it where they keep all of their important documents, so that they never lose it. it's comically large, and brightly colored, so it's hard to miss. this USB is automatically decrypted with on-device TPM (yes, looser PCRs) and can unlock the disks in the event that my tang server is unreachable | 21:55:42 |
| sudoforge | i live about 1400km away from the bulk of these nodes | 21:58:55 |
