| 30 Oct 2024 |
 hexa | makes disposing the disks after much less of a hassle | 19:37:37 |
 adamcstephens | i've mostly reserved it for mobile devices. i also generally don't dispose of disks :) | 19:38:03 |
| hexa | * makes disposing of the disks much less of a hassle | 19:38:06 |
| hexa | so you're collecting dead disks at home? 😄 | 19:38:22 |
| adamcstephens | i have a couple yes. not really a collection :) | 19:39:19 |
| adamcstephens | so, two nvmes, both with luks volumes and zfs on top of that. | 19:39:46 |
| adamcstephens | * so, two nvmes, both with luks volumes and zfs mirror on top of that. | 19:39:56 |
| hexa | sgtm | 19:40:08 |
 abyxcos | In reply to @hexa:lossy.network
so you're collecting dead disks at home? 😄 In the freezer, yes. | 20:29:44 |
|  NIKHIL RANJAN joined the room. | 21:36:37 |
 flare | In reply to @hexa:lossy.network
makes disposing of the disks much less of a hassle even if i encrypt I still shred. I just enjoy the process of popping in shredos | 23:12:46 |
| flare | also | 23:12:48 |
| flare | some nvme drives have secure wipe features and i think it is possible to do it from the cli tool | 23:13:23 |
| flare | haven't tried it yet tho since most of my nvmes get exposed as USB UAS device from enclosures | 23:14:05 |
|  Paul joined the room. | 23:38:42 |
| 31 Oct 2024 |
|  Frédéric Christ joined the room. | 08:55:09 |
|  Shaderoit joined the room. | 12:26:26 |
 ElvishJerricco | In reply to @adam:robins.wtf
I just got a new nvme for my main desktop/server. Should I do disk encryption this time? I always encrypt but it's usually because I have some new overly complicated thing I want to try out | 20:26:57 |
| ElvishJerricco | see: this wonderful disaster | 20:28:22 |
| ElvishJerricco | or this one | 20:29:06 |
 sophie | In reply to @elvishjerricco:matrix.org
see: this wonderful disaster what is this...? | 21:10:55 |
| ElvishJerricco | sophie: some (slightly outdated) modules I use to do a cursed combination of remote attestation and TPM2-bound disk encryption with tailscale | 21:11:50 |
| sophie | I'm just trying to unpick how the remote attestation works | 21:12:35 |
| ElvishJerricco | basically, there's a TPM2-bound zvol that contains SSH host keys and tailscale state. This allows me to remote in, and the fact that tailscale and SSH host keys were automatically decrypted informs me that the TPM2's boot measurements were correct. Once logged in, I can enter the TPM2 pin for decrypting the root FS | 21:13:36 |
| ElvishJerricco | it would be better to do, like, actual remote attestation, but this is adequate | 21:14:13 |
| sophie | ah so the system boots into a state and waits for the TPM2 pin to be provided over the SSH session it started with the protected host keys | 21:15:07 |
| ElvishJerricco | yep | 21:15:15 |
| ElvishJerricco | so the host keys are critical. They basically are the attestation | 21:15:29 |
| sophie | interesting. I've always wanted to try out that remote attestation and stuff | 21:16:01 |
| ElvishJerricco | eventually I'm going to get it set up with some kind of app on my phone, so the server sends a notification to my phone with a remote attestation report and asks the phone to decrypt the volume key. I check the app, give it a nod of approval, and the system boots | 21:17:06 |
