fedora

Fedora Encrypted Root With Automatic Key Unlocking

Fedora’s installer will happily set up an encrypted install with root-on-lvm-on-luks (/boot is still unencrypted. Secure Boot might be handy here still). This is supported and works out of the box. However, while I’m present when I reboot this machine, it is also headless (no keyboard or monitor), so typing a passphrase at boot is problematic. But no problem, you can have up-to ten key slots for a LUKS partition, right?

Snapperd on Fedora with SELinux enabled

Snapper is an excellent utility that provides hourly snapshots of btrfs subvolumes. Fedora ships with selinux enabled by default. This is excellent, and shouldn’t be disabled. To allow this, most software in Fedora has appropriate rules defined, including snapper. However, snappers rules only allow it to work on / and /home. If you wish to use it to snapshot /mnt/data, or /srv, or any other particular path, you’re going to have a very bad time.

Fedora Cloud Image on Linode

Linode offers pre-assembled Fedora VMs, but their environment doesn’t support SELINUX. You also don’t get any notification on when you should reboot for new kernels, etc. I decided to attempt to adapt Fedora’s stock cloud image on Linode. It was not without it’s own effort, but ultimately I think it’s a better solution than attempting to retro-fit the linode image for booting. Also, I’m using the fedora cloud image on all my other VMs, so I’m familiar with how it’s set up (and can easily spool up a local copy for testing).