Open frelon opened 1 year ago
kkaempf
commented
1 year ago Disk encryption is useful to prevent against unauthorized access to data in case a machine gets physically compromised.
Not sure how this is supposed to work in an edge/cluster scenario without anyone to enter the password.
'Supporting' this in Elemental might send the wrong message 🤔
frelon
commented
1 year ago Disk encryption is useful to prevent against unauthorized access to data in case a machine gets physically compromised.
Yep, edge seems the perfect candidate for encryption, since those machines are often more physically available.
Not sure how this is supposed to work in an edge/cluster scenario without anyone to enter the password.
It's up to the user, but there are lots of ways of unlocking volumes without a password (TPM comes to mind).
Not having disk encryption at the edge feels like an oversight, but I'm happy to have a discussion about this! :+1:
fgiudici
commented
1 year ago Well, TPM would protect us from a stolen disk, quite an elegant solution 👍🏼 If we want to be protected by the full machine being stolen, the thing that comes to my mind is to store the decryption passphrase on a Secret in the Rancher cluster, have the machine contact the operator at each boot at the registration endpoint, authenticate via the TPM and get the secret passphrase to unlock the disk. Of course, there should be a policy to block sending the Secret on boot (blocked by default, blocked on demand, ...) or it would be enough if Rancher cluster is on a private network.
kkaempf
commented
1 year ago @agracey 👆🏻
Sporesirius
commented
1 year ago kkaempf
commented
7 months ago 
ghost
commented
2 months ago Hello @kkaempf, any news about this enhancement or maybe how to use it when we enter information of Machine Registration https://elemental.docs.rancher.com/machineregistration-reference/? :) Thanks a lot !
jmpolom
commented
2 months ago elemental should be able to configure LUKS volumes for any partitions configured (state, persistent, oem, user defined, etc.) but currently appears not to be able to do so. These LUKS volumes should be configurable to unlock via binding to a host security device (like a TPM 2.0 or FIDO2 token) as well as a manual text input method (recovery key) using systemd-cryptenroll.
Any status on when such a feature might be supported? The proof of concept looks like a good start.
kkaempf
commented
1 month ago It's actually next on the list to investigate after we're done with SELinux 😉
Is your feature request related to a problem? Please describe. It should be possible to deploy a fully encrypted system using elemental.
Describe the solution you'd like I have a POC from hackweek for the install-command here: https://github.com/frelon/elemental-cli/tree/cryptsetup which adds configuration options to run cryptsetup on
elemental installto encrypt partitions.After that there needs to be changes to the grub-config and immutable-rootfs dracut module in order to actually unlock the partitions. This will probably depend on #1781 being merged.