| 30 Oct 2024 |
 flare | haven't tried it yet tho since most of my nvmes get exposed as USB UAS device from enclosures | 23:14:05 |
|  Paul joined the room. | 23:38:42 |
| 31 Oct 2024 |
|  Frédéric Christ joined the room. | 08:55:09 |
|  @shaderoit99:matrix.org joined the room. | 12:26:26 |
 ElvishJerricco | In reply to @adam:robins.wtf
I just got a new nvme for my main desktop/server. Should I do disk encryption this time? I always encrypt but it's usually because I have some new overly complicated thing I want to try out | 20:26:57 |
| ElvishJerricco | see: this wonderful disaster | 20:28:22 |
| ElvishJerricco | or this one | 20:29:06 |
 sophie | In reply to @elvishjerricco:matrix.org
see: this wonderful disaster what is this...? | 21:10:55 |
| ElvishJerricco | sophie: some (slightly outdated) modules I use to do a cursed combination of remote attestation and TPM2-bound disk encryption with tailscale | 21:11:50 |
| sophie | I'm just trying to unpick how the remote attestation works | 21:12:35 |
| ElvishJerricco | basically, there's a TPM2-bound zvol that contains SSH host keys and tailscale state. This allows me to remote in, and the fact that tailscale and SSH host keys were automatically decrypted informs me that the TPM2's boot measurements were correct. Once logged in, I can enter the TPM2 pin for decrypting the root FS | 21:13:36 |
| ElvishJerricco | it would be better to do, like, actual remote attestation, but this is adequate | 21:14:13 |
| sophie | ah so the system boots into a state and waits for the TPM2 pin to be provided over the SSH session it started with the protected host keys | 21:15:07 |
| ElvishJerricco | yep | 21:15:15 |
| ElvishJerricco | so the host keys are critical. They basically are the attestation | 21:15:29 |
| sophie | interesting. I've always wanted to try out that remote attestation and stuff | 21:16:01 |
| ElvishJerricco | eventually I'm going to get it set up with some kind of app on my phone, so the server sends a notification to my phone with a remote attestation report and asks the phone to decrypt the volume key. I check the app, give it a nod of approval, and the system boots | 21:17:06 |
| sophie | if you're using Android, you can put the keys into an encrypted space with the encryption keys protected by the secure element too :) might be possible on iOS too but not tried that | 21:18:52 |
| ElvishJerricco | yea, tough choice between storing a wrapped key on the disk vs storing a wrapped key on the phone | 21:20:40 |
| ElvishJerricco | different tradeoffs between the two | 21:20:46 |
| sophie | could either use the stored key on the phone as the TPM2 pin or have the password be a combination of both keys | 21:22:15 |
| ElvishJerricco | yea that's interesting | 21:23:17 |
| 1 Nov 2024 |
|  Thales Menato joined the room. | 01:28:00 |
|  Ryan Yin joined the room. | 14:20:56 |
| 2 Nov 2024 |
|  Birhaman changed their profile picture. | 03:42:05 |
| Birhaman changed their profile picture. | 03:45:35 |
|  @icarus_dh:matrix.org joined the room. | 14:07:03 |
| 3 Nov 2024 |
|  Sam joined the room. | 14:34:19 |
|  @mrtrk:matrix.org left the room. | 16:15:51 |
|  Kiruya Momochi 百地希留耶 joined the room. | 19:50:31 |
