| 30 Jul 2025 |
 emily | since you can easily verify initrd with secure boot/attestation | 19:50:18 |
 hexa | or at least the one you are already familiar with | 19:51:38 |
| hexa | * or at least the configuration stack one you are already familiar with | 19:51:47 |
 DenKn | There are a filesystem/dm-module with no encryption, but with signing? | 20:12:57 |
 K900 | There are options, yes | 20:14:35 |
| emily | (with complicated trade-offs) | 20:16:13 |
| emily | (and not ones that are easy to deploy mutable NixOS systems to) | 20:16:19 |
| DenKn | I do not need encryption, but signing would be interesting in such cases. I only want to mount encrypted data, but mostly the system could be only signed | 20:18:30 |
| emily | dm-verity is used for this in production | 20:20:33 |
| emily | but is only really suitable for image deploys | 20:20:37 |
| emily | fs-verity has potential for mutable systems but is complicated to close the gap with | 20:20:47 |
