Upd README
This commit is contained in:
parent
75bcdaa8db
commit
ec6cdedeec
62
README.md
62
README.md
@ -14,7 +14,8 @@ Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus
|
|||||||
- Full disk encryption with LUKS
|
- Full disk encryption with LUKS
|
||||||
- Remote unlock via Tang server
|
- Remote unlock via Tang server
|
||||||
- TPM-based boot verification
|
- TPM-based boot verification
|
||||||
- BTRFS RAID1 storage with optimized subvolumes
|
- BTRFS RAID1 for data redundancy
|
||||||
|
- Dedicated database subvolume with `nodatacow` and `noatime`
|
||||||
- Automated deployment to Hetzner
|
- Automated deployment to Hetzner
|
||||||
- Kickstart-based automated installation
|
- Kickstart-based automated installation
|
||||||
|
|
||||||
@ -30,19 +31,6 @@ The system uses multiple methods to unlock the LUKS volumes:
|
|||||||
- Available via SSH if primary method fails
|
- Available via SSH if primary method fails
|
||||||
- Can be used for recovery or maintenance
|
- Can be used for recovery or maintenance
|
||||||
|
|
||||||
### TPM Integration
|
|
||||||
- TPM2 chip verifies boot integrity
|
|
||||||
- PCR measurements ensure system hasn't been tampered with
|
|
||||||
- Combined with Tang for defense in depth
|
|
||||||
- Monitors all critical boot components
|
|
||||||
|
|
||||||
### Storage Security
|
|
||||||
- BTRFS RAID1 for data redundancy
|
|
||||||
- Dedicated database subvolume with `nodatacow` and `noatime`
|
|
||||||
- LUKS2 encryption with multiple unlock methods
|
|
||||||
- Secure boot enabled by default
|
|
||||||
- Redundant boot partition using BTRFS RAID1
|
|
||||||
|
|
||||||
### TPM Updates
|
### TPM Updates
|
||||||
After firmware updates (UEFI/BIOS), the TPM bindings need to be updated:
|
After firmware updates (UEFI/BIOS), the TPM bindings need to be updated:
|
||||||
(otherwise the system will not be able to boot without recovery phrase)
|
(otherwise the system will not be able to boot without recovery phrase)
|
||||||
@ -107,49 +95,3 @@ hcloud ssh-key create --name "fedora-server-hetzner" --public-key "$(cat ~/.ssh/
|
|||||||
lsblk
|
lsblk
|
||||||
clevis-luks-list -d /dev/sda2
|
clevis-luks-list -d /dev/sda2
|
||||||
```
|
```
|
||||||
|
|
||||||
## Installation Process
|
|
||||||
|
|
||||||
The installation is fully automated using Fedora's kickstart system:
|
|
||||||
|
|
||||||
1. **Partitioning**:
|
|
||||||
- Boot partitions (1GB each) on both drives
|
|
||||||
- Main partitions using remaining space
|
|
||||||
- All partitions use BTRFS
|
|
||||||
|
|
||||||
2. **Storage Setup**:
|
|
||||||
- RAID1 for boot partitions
|
|
||||||
- LUKS2 encryption for data partitions
|
|
||||||
- BTRFS RAID1 for data with optimized subvolumes
|
|
||||||
|
|
||||||
3. **Security Setup**:
|
|
||||||
- TPM binding during installation
|
|
||||||
- Tang server integration
|
|
||||||
- Secure boot configuration
|
|
||||||
|
|
||||||
4. **Post-Installation**:
|
|
||||||
- Automatic service configuration
|
|
||||||
- TPM update script installation
|
|
||||||
- System optimization
|
|
||||||
|
|
||||||
## Troubleshooting
|
|
||||||
|
|
||||||
### Installation Issues
|
|
||||||
- Check installation logs at `/root/postinstall.log`
|
|
||||||
- Press Alt+F3 during installation to view real-time logs
|
|
||||||
- Press Alt+F1 to return to main installation screen
|
|
||||||
|
|
||||||
### Boot Issues
|
|
||||||
1. If TPM unlock fails:
|
|
||||||
- Use the manual passphrase from `/root/luks-passphrase.txt`
|
|
||||||
- Run `/root/update-tpm-bindings.sh` if firmware was updated
|
|
||||||
|
|
||||||
2. If Tang server is unreachable:
|
|
||||||
- Check network connectivity
|
|
||||||
- Verify Tang server is running
|
|
||||||
- Use manual passphrase as fallback
|
|
||||||
|
|
||||||
### Storage Issues
|
|
||||||
- Check RAID status: `cat /proc/mdstat`
|
|
||||||
- Check BTRFS status: `btrfs filesystem show`
|
|
||||||
- Verify LUKS status: `cryptsetup status`
|
|
||||||
Loading…
Reference in New Issue
Block a user