Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)D

dont

@ dont @lemmy.world

Posts
3
Comments
37
Joined
2 yr. ago

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • The annoyance grows with the number of hosts ;-) I still want to feel in control, which is why I'm hesitant to implement unattended decryption like with tang/clevis.

    But I'm interested in the idea of not messing with the initrd-image, boot into a running system and then wait for decryption of a data-partition. Isn't it a hassle to manually override all the relevant service declarations etc. to wait for the mount? Or how do you do that?

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • The passphrase should be stored and transferred encrypted, but that would basically mean reimplementing mandos, a tool that was mentioned in another reply https://lemmy.world/post/38400013/20341900. Besides that yes, that's one way I've also considered. An ansible script with access to all encrypted host's initrd-ssh-keys that tries to login; if the host is waiting for decryption, provides the key, done. Needs one webhook for notification and one for me to trigger the playbook run... Maybe I will revisit this...

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • It wasn't clear to me at first glance how the mandos server gets the approval to supply the client with its desired key, but I figured it out in the meantime: that's done through the mandos-monitor tui. However, that doesn't quite fit my ux-expectations. Thanks for mentioning it, though. It's an interesting project I will keep in mind.

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • Definitely! I have bmc/kvm everywhere (well, everywhere that matters).

    I have talked myself out of this (for now), though. I think if I ever find the time to revisit this, I will try to to it by injecting some oidc-based approval (memo to myself: ciba flow?) into something like clevis/tang.

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • Sort of, but this seems a bit heavy. (That being said, I was also considering pkcs#11 on a net-hsm, which seems to do basically the same...)

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • Yes, I was thinking about storing encrypted keys, but still, using claims is clearly just wrong... Using a vault to store the key is probably the way to go, even though it adds another service the setup depends on.

  • Removed

    oidc-based remote luks decryption – bad idea?

    Jump

  • Interesting, do you happen to know how this "approval" works here, concretely?

  • How do you pronounce runc?

    Jump

  • Looks like everyone agrees, thanks!

  • Container platforms (docker, lxc, podman) @lemmy.world
    dont @lemmy.world

    How do you pronounce runc?

  • Has anyone messed around with NonRAID?

    Jump

  • How long did it take to get zpool-attach? I will not join the waiting list 😉

  • Has anyone messed around with NonRAID?

    Jump

  • The selling point of unraid is that you can mix and match different disk sizes and it figures out a (good, efficient?) way to handle them even as you grow a pool. You're not going to have a good time with a 1TB drive, a 2 TB drive and a 15 TB drive using zfs, unraid doesn't care... (Using and preferring zfs myself, by the way; this is heresay.)

  • Is there something like GitHub, but without big tech involvement, no data collection, no ads, open source, and preferably decentralized (maybe Fediverse or even P2P)?

    Jump

  • "Happy little outages, here and there"

    Jump

  • ... have a look at all those happy little tickets ...

  • 🛡️ uSentry - Identity & Access Management

    Jump

  • I love the simplicity of this, I really do, but I don't consider this SSO. It may be if you're a single user, but even then, many things I'm hosting have their own authentication layer and allow offloading only to some oidc-/oauth or ldap-provider.

  • Nextcloud (PHP) vs OpenCloud (Go)

    Jump

  • Deployment of NC on kubernetes/docker (and maintenance thereof) is super scary. They copy config files around in dockerfile, e.g., it's a hell of a mess. (And not just docker: I have one instance running on an old-fashioned webhosting with only ftp access and I have to manually edit .ini and apache config after each update since they're being overwritten.) As the documentation of OCIS is growing and it gets more features, I might actually change even the larger instances, but for now I must consider it as not feature complete (since people have expectations from nextcloud that aren't met by ocis and its extensions). Moreover, I have more trust in the long term openness of nextcloud as opposed to owncloud, for historical reasons.

  • How to start using the new Linux terminal on your Android device

    Jump

  • I've spent a few minutes with it so far, still looking out for some documentation. I couldn't find a way to mount storage either way so far. Could be done with an nfs or smb share on the vm, being accessed by the phone with an appropriate app, perhaps. Also, I couldn't pass through usb, which is a real bummer...

  • 90s band alignment chart

    Jump

  • No Doubt on the happy side? Have you listened to the lyrics?

  • BraX3: the most privacy-friendly smartphone!

    Jump

  • I use GrapheneOS because it works better for me, but considering their personnel and how they're operating, I still would also trust Calyx. Was clearly the best choice for my fairphone back then.

  • Cybersecurity Founder and CEO blasts her husband on LinkedIn for not doing anything in 2024.

    Jump

  • Nope

    Jump

  • This has been on X Files, quarantine those people! 👻

  • Selfhosted @lemmy.world
    dont @lemmy.world

    The purpose of podman quadlets?

  • Mikrotik @lemmy.world
    dont @lemmy.world

    CCR2004-1G-2XS-PCIe as Firewall in colocation