On Fri, Jan 23, 2026 at 05:10:20PM +0000, Lloyd wrote:
"Remote unlock of FDE" is a bit of a fairy tale. There is no
such thing. The link below describes an example of a Linux
system booting a minimal system via initrd - and making ssh
available - so someone can log in and enter an password. But
by definition this is NOT full disk encryption. /boot must be
unencrypted for this to work. Your keys must be stored in the
initrd image unencrypted for SSH to start up. So you are using
one system in essence to bootstrap another system. Not FDE.
Real FDE can be achieved under Linux nowadays by leveraging the
TPM for hardware key storage to unlock the root volume in recent
versions of systemd. This obviates the need for remote unlock.
That's theoretically correct but practically missing the point.
With the SSDs that are present on nearly all servers these days,
deleting data from the disk (e.g if it fails or if the disk is replaced)
is not possible to do reliably. The only solution is to encrypt all
system data (root, swap, etc) and then destroy the encryption key once
the disk is no longer needed.
Therefore, disk encryption of the running system is MANDATORY on nearly
any modern server.
The dropbear-initramfs approach used for Linux disk encryption allows
unlocking the system partition without saving the FDE key to disk,
preserving the essential benefit of FDE. It does this without requiring
IPMI or serial console access -- on many servers, remote console access
is inconvenient and unpleasant.
Yes, having an unencrypted /boot means the SSH keys are stored
unencrypted. An adversary with physical access to the server can
therefore MITM your connection when you enter the FDE disk encryption at
server boot.
This is nevertheless infinitely preferable to a completely unencrypted
disk.
Yes, a TPM will provide additional (but not necessarily perfect)
security. This comes at the cost of specific hardware requirements (may
not work on every server or mainboard). Still it would be wondeful to
see a practically usable implementation.
