[bitfolk] Automatically unlocking a LUKS encrypted root filesystem during boot

Hello, It's often the case that customers want to use disk encryption to protect against someone with physical access to BitFolk's storage¹ reading their data. The major inconvenience with this is that the VM doesn't boot on its own any more; it waits for the LUKS passphrase to be typed into the console. Today I saw this article that goes through the steps of how to configure things so that the passphrase can be stored in the initrd file and used to automatically unlock the root filesystem at boot time: https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-en… It might be a useful middle ground for someone. Obviously anyone with access to the initrd file, which is stored in the unencrypted /boot, could use it to unlock the disk so this would not protect against someone with root access to a running BitFolk server². In general it should also be considered that someone with root access to BitFolk's infrastructure can read everything written to (or displayed on) your consoles, so could just wait for your next reboot to capture you typing your LUKS passphrase in. Cheers, Andy ¹ This doesn't have to be BitFolk staff or an attacker, but could be someone who got hold of a storage device that was replaced and taken out of service. Though discard/TRIM is used where possible. ² The attack method would be: 1. Take snapshot of customer disk and transfer it off-site. 2. Unpack initrd file from inside unencrypted customer /boot. 3. Use the LUKS passphrase from within that to unlock customer root rilesystem. All of which could be done without your knowledge. -- https://bitfolk.com/ -- No-nonsense VPS hosting