| 11 Jun 2023 |
 ElvishJerricco | my system does it by having the tailscale state dir shared between stages and stored on a disk that's TPM2 encrypted, and unlocked in initrd without user input | 06:42:19 |
| ElvishJerricco | letting me log in so I can enter the key for the root fs and get the system booted | 06:42:43 |
 K900 | I have a horrible idea now | 06:43:15 |
| ElvishJerricco | do tell | 06:43:23 |
| K900 | You could, in theory, do OIDC with a key stored on the TPM | 06:44:20 |
| ElvishJerricco | what's OIDC? | 06:44:38 |
| K900 | OpenID Connect, which is the thing Tailscale uses for auth | 06:44:49 |
| ElvishJerricco | so what does it mean to store a key for it on the TPM? | 06:46:02 |
| K900 | It's just auth | 06:46:10 |
| K900 | You sign a token with your private key | 06:46:16 |
| K900 | And send it to the server that knows your public key | 06:46:23 |
| K900 | So you can log in to Tailscale without any secrets ever being persisted outside the TPM | 06:46:43 |
| ElvishJerricco | oh that's a really cool idea actually | 06:47:01 |
| ElvishJerricco | though usually people don't actually store shit in the tpm | 06:47:08 |
| ElvishJerricco | since space there is very limited | 06:47:12 |
| ElvishJerricco | and I think it can only store tpm key hierarchy things? | 06:47:30 |
| ElvishJerricco | but sealing a key is just as good | 06:48:01 |
| ElvishJerricco | or, no, you want to do the actual auth crypto on the tpm and never on the host | 06:48:17 |
| ElvishJerricco | hm | 06:48:23 |
| K900 | Yep | 06:48:26 |
| K900 | You should be able to | 06:48:32 |
| ElvishJerricco | yea I dunno the details well enough to be sure | 06:48:41 |
| ElvishJerricco | but it sounds possible | 06:48:48 |
| K900 | One problem with that is that I'm not sure you can authenticate as the same machine more than once on Tailscale | 06:52:21 |
| K900 | At least with Headscale you have to manually remove the old node | 06:52:38 |
| ElvishJerricco | oh, wait, which level of auth are we talking about? The SSO thing where you actually login for the first time and add the node? Or the auth that occurs just be starting tailscaled back up again? | 06:53:37 |
| ElvishJerricco | * oh, wait, which level of auth are we talking about? The SSO thing where you actually login for the first time and add the node? Or the auth that occurs just by starting tailscaled back up again? | 06:53:50 |
| K900 | The SSO auth | 06:54:30 |
| ElvishJerricco | I see | 06:54:37 |
| K900 | The second auth just uses the token that's persisted on disk | 06:54:40 |
