From e2309551c304709848fe6c5cf67c4571b628c162 Mon Sep 17 00:00:00 2001
From: Dominik Roth <mail@dominik-roth.eu>
Date: Sat, 26 Jul 2025 21:50:17 +0200
Subject: [PATCH] Upd README

---
 README.md | 46 +++++++++-------------------------------------
 1 file changed, 9 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index 02fb8c7..3e58933 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
 ## Features
 
 - AlmaLinux Server base
-- Full disk encryption with LUKS (native Hetzner support)
+- Full disk encryption with LUKS
 - Remote unlock via Tang server
 - TPM-based boot verification
 - mdadm RAID1 + XFS (RHEL standard)
@@ -19,29 +19,17 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
 
 If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).
 
-## Security Model
+## Unlock Strategy
 
-### Unlock Methods
-The system uses multiple methods to unlock the LUKS volumes:
-1. **Primary Method**: TPM2 + Tang server
-   - TPM2 verifies boot integrity
-   - Tang server provides remote unlock capability
-   - Both must succeed for automatic unlock
-2. **Fallback Method**: Manual passphrase
-   - Available via SSH before LUKS unlock
-   - Uses dropbear for early SSH access
-   - Can be used for recovery or maintenance
-
-### Unlock Strategy
-The system supports multiple unlock methods:
-1. **Manual unlock via SSH** (default):
-   - SSH to server on port 22 (dropbear in early boot)
-   - Enter LUKS passphrase when prompted (twice, once per disk)
-   - System continues normal boot
-2. **Automatic unlock** (optional):
+1. **Automatic unlock via Tang/TPM** (default):
    - Configure TPM2 and/or Tang servers in post-install.sh
    - System unlocks automatically if conditions are met
-   - Falls back to manual unlock if automatic fails
+   - No manual intervention required
+
+2. **Manual unlock via SSH** (fallback):
+   - SSH to server on port 22 (dropbear in early boot)
+   - Enter LUKS passphrase when prompted (twice, once per disk)
+   - Used when automatic unlock fails or is not configured
 
 ## Quick Install
 
@@ -84,22 +72,6 @@ If you prefer to configure manually:
    installimage -a -c install.conf -s post-install.sh
    ```
 
-## What Gets Installed
-
-Hetzner installimage will:
-- Set up mdadm RAID1 across both drives
-- Create LUKS encryption with your passphrase
-- Install AlmaLinux with XFS filesystem
-- Single root partition (no LVM complexity)
-
-post-install.sh will configure:
-- User account with SSH key and zsh shell
-- oh-my-zsh with powerlevel10k theme
-- Dotfiles (zsh, tmux, p10k configs)
-- Clevis for TPM/Tang unlock (if configured)
-- Dropbear for remote unlock
-- Modern CLI tools (lsd, bat, neovim)
-- Security hardening (SELinux, SSH)
 
 ## Post-Installation