dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
27 Commits 2 Branches 0 Tags 145 KiB
Shell 100%
master
Go to file
Dominik Roth fbc558877c Upd README
2025-05-19 17:07:20 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.sh installer does more 2025-05-19 16:54:46 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
README.md Upd README 2025-05-19 17:07:20 +02:00

README.md

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.

Note

This project is still WIP, having some issues with networking of the installeer / installed instance.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.py
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Setup

  1. Configure Installer

    # Edit the variables at the top of install.sh:
vim install.sh

    Set your:

    • Tang server URLs and thumbprints
    • TPM PCR settings
    • Fedora version
    • SSH public key for the default user

  2. Install on Hetzner Server

  • Log into Hetzner Robot
  • Select your server
  • Go to "Rescue" tab
  • Choose "Linux" and "64 bit"
  • Activate Rescue System
  • Upload the installer: 
    scp install.sh root@your-server:/root/
  • SSH into Rescue System: 
    ssh root@your-server
  • Make it executable and run: 
    chmod +x install.sh
./install.sh
  • If the script tells you that no TPM is available, you'll need to make a support ticket to get KVM access and enable TPM in the BIOS.
  • The script will:
    • Generate and display a LUKS passphrase (save this!)
    • Download and prepare the Fedora installer
    • Configure networking for Hetzner's unusual setup
    • Start the Fedora installer
  • You can monitor the installation via SSH on port 2222: 
    ssh -p 2222 root@your-server
  • During the Fedora installation:
    • Disk encryption and RAID will be configured
    • TPM and Tang bindings will be set up
    • Network configuration will be applied
  1. Verify Installation 
    ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda3  # Note: sda3 is the LUKS partition