On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote: > For example, a cheap NAS box with no internal storage (disks connected > externally via USB). We want: > * disks to be encrypted and decryptable only by this NAS box So how this differs from LUKS2 style, which also systemd supports where the encryption key is anchored to PCR's? If I took hard drive out of my Linux box, I could not decrypt it in another machine because of this. > * if someone steals one of the disks - we don't want them to see it > has encrypted data (no LUKS header) So what happens when you reconnect? > Additionally we may want to SSH into the NAS for configuration and we > don't want the SSH server key to change after each boot (regardless if > disks are connected or not). Right, interesting use case. Begin before any technical jargon exactly with a great example like this. Then it is easier to start to anchoring stuff and not be misleaded. BR, Jarkko
