Upd README
This commit is contained in:
parent
35571c4c44
commit
e2309551c3
46
README.md
46
README.md
@ -9,7 +9,7 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
|
||||
## Features
|
||||
|
||||
- AlmaLinux Server base
|
||||
- Full disk encryption with LUKS (native Hetzner support)
|
||||
- Full disk encryption with LUKS
|
||||
- Remote unlock via Tang server
|
||||
- TPM-based boot verification
|
||||
- mdadm RAID1 + XFS (RHEL standard)
|
||||
@ -19,29 +19,17 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
|
||||
|
||||
If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).
|
||||
|
||||
## Security Model
|
||||
## Unlock Strategy
|
||||
|
||||
### Unlock Methods
|
||||
The system uses multiple methods to unlock the LUKS volumes:
|
||||
1. **Primary Method**: TPM2 + Tang server
|
||||
- TPM2 verifies boot integrity
|
||||
- Tang server provides remote unlock capability
|
||||
- Both must succeed for automatic unlock
|
||||
2. **Fallback Method**: Manual passphrase
|
||||
- Available via SSH before LUKS unlock
|
||||
- Uses dropbear for early SSH access
|
||||
- Can be used for recovery or maintenance
|
||||
|
||||
### Unlock Strategy
|
||||
The system supports multiple unlock methods:
|
||||
1. **Manual unlock via SSH** (default):
|
||||
- SSH to server on port 22 (dropbear in early boot)
|
||||
- Enter LUKS passphrase when prompted (twice, once per disk)
|
||||
- System continues normal boot
|
||||
2. **Automatic unlock** (optional):
|
||||
1. **Automatic unlock via Tang/TPM** (default):
|
||||
- Configure TPM2 and/or Tang servers in post-install.sh
|
||||
- System unlocks automatically if conditions are met
|
||||
- Falls back to manual unlock if automatic fails
|
||||
- No manual intervention required
|
||||
|
||||
2. **Manual unlock via SSH** (fallback):
|
||||
- SSH to server on port 22 (dropbear in early boot)
|
||||
- Enter LUKS passphrase when prompted (twice, once per disk)
|
||||
- Used when automatic unlock fails or is not configured
|
||||
|
||||
## Quick Install
|
||||
|
||||
@ -84,22 +72,6 @@ If you prefer to configure manually:
|
||||
installimage -a -c install.conf -s post-install.sh
|
||||
```
|
||||
|
||||
## What Gets Installed
|
||||
|
||||
Hetzner installimage will:
|
||||
- Set up mdadm RAID1 across both drives
|
||||
- Create LUKS encryption with your passphrase
|
||||
- Install AlmaLinux with XFS filesystem
|
||||
- Single root partition (no LVM complexity)
|
||||
|
||||
post-install.sh will configure:
|
||||
- User account with SSH key and zsh shell
|
||||
- oh-my-zsh with powerlevel10k theme
|
||||
- Dotfiles (zsh, tmux, p10k configs)
|
||||
- Clevis for TPM/Tang unlock (if configured)
|
||||
- Dropbear for remote unlock
|
||||
- Modern CLI tools (lsd, bat, neovim)
|
||||
- Security hardening (SELinux, SSH)
|
||||
|
||||
## Post-Installation
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user