From ec6cdedeecdaeb69675a952346ea9db771f83acb Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Tue, 13 May 2025 18:11:50 +0200 Subject: [PATCH] Upd README --- README.md | 64 +++---------------------------------------------------- 1 file changed, 3 insertions(+), 61 deletions(-) diff --git a/README.md b/README.md index 94e0193..3bdb98c 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,8 @@ Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus - Full disk encryption with LUKS - Remote unlock via Tang server - TPM-based boot verification -- BTRFS RAID1 storage with optimized subvolumes +- BTRFS RAID1 for data redundancy +- Dedicated database subvolume with `nodatacow` and `noatime` - Automated deployment to Hetzner - Kickstart-based automated installation @@ -30,19 +31,6 @@ The system uses multiple methods to unlock the LUKS volumes: - Available via SSH if primary method fails - Can be used for recovery or maintenance -### TPM Integration -- TPM2 chip verifies boot integrity -- PCR measurements ensure system hasn't been tampered with -- Combined with Tang for defense in depth -- Monitors all critical boot components - -### Storage Security -- BTRFS RAID1 for data redundancy -- Dedicated database subvolume with `nodatacow` and `noatime` -- LUKS2 encryption with multiple unlock methods -- Secure boot enabled by default -- Redundant boot partition using BTRFS RAID1 - ### TPM Updates After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase) @@ -106,50 +94,4 @@ hcloud ssh-key create --name "fedora-server-hetzner" --public-key "$(cat ~/.ssh/ systemctl status clevis-luks-askpass lsblk clevis-luks-list -d /dev/sda2 - ``` - -## Installation Process - -The installation is fully automated using Fedora's kickstart system: - -1. **Partitioning**: - - Boot partitions (1GB each) on both drives - - Main partitions using remaining space - - All partitions use BTRFS - -2. **Storage Setup**: - - RAID1 for boot partitions - - LUKS2 encryption for data partitions - - BTRFS RAID1 for data with optimized subvolumes - -3. **Security Setup**: - - TPM binding during installation - - Tang server integration - - Secure boot configuration - -4. **Post-Installation**: - - Automatic service configuration - - TPM update script installation - - System optimization - -## Troubleshooting - -### Installation Issues -- Check installation logs at `/root/postinstall.log` -- Press Alt+F3 during installation to view real-time logs -- Press Alt+F1 to return to main installation screen - -### Boot Issues -1. If TPM unlock fails: - - Use the manual passphrase from `/root/luks-passphrase.txt` - - Run `/root/update-tpm-bindings.sh` if firmware was updated - -2. If Tang server is unreachable: - - Check network connectivity - - Verify Tang server is running - - Use manual passphrase as fallback - -### Storage Issues -- Check RAID status: `cat /proc/mdstat` -- Check BTRFS status: `btrfs filesystem show` -- Verify LUKS status: `cryptsetup status` \ No newline at end of file + ``` \ No newline at end of file