dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
19 Commits 2 Branches 0 Tags 145 KiB
Shell 100%
6f98289af0
Go to file
Dominik Roth 6f98289af0 dont null whole disk
2025-05-18 18:39:15 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.sh dont null whole disk 2025-05-18 18:39:15 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
README.md Upd README 2025-05-18 18:32:27 +02:00

README.md

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for Hetzner Dedicated Servers.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • Enhanced shell environment with zsh, Oh My Zsh, Powerlevel10k, and an amazing custom theme
  • SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.py
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Setup

  1. Configure Installer

    # Edit the variables at the top of install.sh:
vim install.sh

    Set your:

    • Tang server URLs and thumbprints
    • TPM PCR settings
    • Fedora version
    • SSH public key for the default user

  2. Install on Hetzner Server

    • Log into Hetzner Robot
    • Select your server
    • Go to "Rescue" tab
    • Choose "Linux" and "64 bit"
    • Activate Rescue System
    • Upload the installer: 
      scp install.sh root@your-server:/root/
    • SSH into Rescue System: 
      ssh root@your-server
  • Make it executable and run: 
    chmod +x install.sh
./install.sh
  • Wait for installation to complete
  • Reboot the server
  1. Verify Installation 
    ssh root@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda2

Recovery

If you need to recover the system:

  1. Using Rescue System

    • Boot into Rescue System
    • Mount the encrypted volumes: 
      cryptsetup luksOpen /dev/sda2 root_a
cryptsetup luksOpen /dev/sdb2 root_b
mount /dev/mapper/root_a /mnt
    • Access your data at /mnt

  2. Using Tang Server

    • Ensure your Tang server is accessible
    • The system should automatically unlock if TPM measurements match

  3. Using Manual Passphrase

    • Connect via SSH during early boot (dropbear)
    • Enter the LUKS passphrase when prompted
    • The passphrase is stored in /root/luks-passphrase.txt on the installed system