syself
:sparkles: Support FDE on bare metal nodes
/kind feature
Describe the solution you'd like Is it possible to get full disk encryption for bare metal nodes? Any tips or instructions would be great. I only care about bare metal.
if it's possible via installimage it should be possible to do it with caph
@batistein Thanks! It is indeed possible with installimage, I've used this guide successfully https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption/
However how do I supply that installimage file to caph (1st time trying caph!). Appreciating any help. Thanks a lot for this great project.
Afaict raid got a keyword rootDeviceHints.raid to request creating raid. So I'm guessing to get root fs encryption, it would also need its own keyword. Did I get this wrong? Otherwise can you please show an example how to feed the installimage example into the bare metal crd. Thanks!
Yes it think we would need to create a new key for that under installimage and pass it to the autoconfig. cc @janiskemper
From the configuration perspective this would be pretty easy as we only need to add a new key CRYPTPASSWORD and a new field under partitions (e.g crypt as a bool)
The only big issue I see is with automatic unlocking of the node.. This would need a big enhancement of the controller.
We currently don't work on full-disk-encryption.
How do you want to enter the password if a node reboots?
caph needs ssh access to the bm machine, but systemd (and ssh) can't start if the password was not given. We don't have a serial connection to the server.
Feel free to comment and do brainstorming on this issue. I close it now. Ping us again, if you have a concrete plan how to implement that.
