dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
24 Commits 2 Branches 0 Tags 145 KiB
Shell 100%
2be74c8923
Go to file
Dominik Roth 2be74c8923 Upd README
2025-05-19 16:54:54 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.sh installer does more 2025-05-19 16:54:46 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
README.md Upd README 2025-05-19 16:54:54 +02:00

README.md

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for Hetzner Dedicated Servers.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.py
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Setup

  1. Configure Installer

    # Edit the variables at the top of install.sh:
vim install.sh

    Set your:

    • Tang server URLs and thumbprints
    • TPM PCR settings
    • Fedora version
    • SSH public key for the default user

  2. Install on Hetzner Server

    • Log into Hetzner Robot
    • Select your server
    • Go to "Rescue" tab
    • Choose "Linux" and "64 bit"
    • Activate Rescue System
    • Upload the installer: 
      scp install.sh root@your-server:/root/
    • SSH into Rescue System: 
      ssh root@your-server
    • Make it executable and run: 
      chmod +x install.sh
./install.sh
    • If the script tells you that no TPM is available, you'll need to make a support ticket to get KVM access and enable TPM in the BIOS.
    • The script will:
      • Generate and display a LUKS passphrase (save this!)
      • Download and prepare the Fedora installer
      • Configure networking for Hetzner's unusual setup
      • Start the Fedora installer
    • You can monitor the installation via SSH on port 2222: 
      ssh -p 2222 root@your-server
    • During the Fedora installation:
      • Disk encryption and RAID will be configured
      • TPM and Tang bindings will be set up
      • Network configuration will be applied

  3. Verify Installation

    ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda3  # Note: sda3 is the LUKS partition