dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fbc558877c
nullpoint/README.md
Dominik Roth fbc558877c Upd README
2025-05-19 17:07:20 +02:00

3.1 KiB
Raw Blame History

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.

Note

This project is still WIP, having some issues with networking of the installeer / installed instance.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.py
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Setup

  1. Configure Installer

    # Edit the variables at the top of install.sh:
vim install.sh

    Set your:

    • Tang server URLs and thumbprints
    • TPM PCR settings
    • Fedora version
    • SSH public key for the default user

  2. Install on Hetzner Server

  • Log into Hetzner Robot
  • Select your server
  • Go to "Rescue" tab
  • Choose "Linux" and "64 bit"
  • Activate Rescue System
  • Upload the installer: 
    scp install.sh root@your-server:/root/
  • SSH into Rescue System: 
    ssh root@your-server
  • Make it executable and run: 
    chmod +x install.sh
./install.sh
  • If the script tells you that no TPM is available, you'll need to make a support ticket to get KVM access and enable TPM in the BIOS.
  • The script will:
    • Generate and display a LUKS passphrase (save this!)
    • Download and prepare the Fedora installer
    • Configure networking for Hetzner's unusual setup
    • Start the Fedora installer
  • You can monitor the installation via SSH on port 2222: 
    ssh -p 2222 root@your-server
  • During the Fedora installation:
    • Disk encryption and RAID will be configured
    • TPM and Tang bindings will be set up
    • Network configuration will be applied
  1. Verify Installation 
    ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda3  # Note: sda3 is the LUKS partition