Re: [bitfolk] Automatically unlocking a LUKS container for unattended reboots

I skimmed, but agree with your analysis. I have a systemd service which, on reboot, adds a luks key stored on the encrypted disk to the unencrypted initrd, and on boot, removes it. Basically: sed -i .../path/keyscript/... /etc/crypttab update-initramfs -u One idea: a way to make a bitfolk level attacker to always have to go through memory to find the key, but still do unattended reboots: reboot using kexec from a kernel+initrd that is either in memory on the encrypted disk. Raptor engineering has designed hardware + software meant to help with this problem, https://www.integricloud.com/ . I've yet to try it, I contacted them just a few days ago to try it but haven't heard back. -- Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org