• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: July 10th, 2023

help-circle
  • Together with secure boot and your own signing keys, it could be a good way to en/decrypt the a dm-verity secured read-only rootfs. But for the home partition I would probably still want to enter my own decryption key, maybe via systemd-homed. From there you can update the kernel/initramfs and read-only rootfs image and sign them for the next boot.

    This is complicated to set up. Otherwise maybe use TPM as a 2FA, so you still have to enter a pin?