I’m setting up FDE and wonders which one is better. “LVM over LUKS” or “LUKS over LVM”? Or something else? Does one is definitely better then the other? What are your preference?
Thanks.
I’m setting up FDE and wonders which one is better. “LVM over LUKS” or “LUKS over LVM”? Or something else? Does one is definitely better then the other? What are your preference?
Thanks.
I think people tend to get hung up on where you store the key material for a server. Hardware token and TPM being two options that are less secure, but network bound disk encryption is supported as well as a combination. So you could have it require the network key as well as the matching PCRs from the TPM for the proper software load before it will unseal.
Hardware token being less secure?
If I steal the server I have the token, unless someone is physically going to unlock the server every time you reboot which is not realistic.