This is an alternative to manually typing your password to decrypt your home server disks.
The idea is that you have a Tang server somewhere on your local network. When your server boots up, it needs to communicate with the Tang server to unlock the disk. Tang doesn’t store the key and is stateless, but the client requires Tang’s cooperation to compute the key.
For me, I’m thinking about someone breaking into my house and stealing my computer. Currently, I have LUKS read a keyfile from a USB drive… but I almost always leave it plugged in… so a thief would probably accidentally steal that too.
With this setup, I’m thinking maybe I could setup a Pi on the opposite side of my house, ideally hidden. And then if my home server gets stolen, LUKS wouldn’t be able to reach my Tang server, and therefore not unlock anything.
I’m running Tang on a VPS, outside of my homelab. Servers in my homelab set up networking and a dedicated WireGuard tunnel to the VPS from initrd, to be able to talk to Tang, to help unlock the filesystem. The WireGuard tunnel is only allowed from my home ISP’s ASN. So if anyone picks up all my equipment from my homelab and walks away with them, they will not be able to boot them up, unless they connect from my ISP’s ASN (good luck), or know the passphrase.
Additionally, some of my homelab computers that support TPM also have a TPM pin, so walking away with the disk only, and connecting from my ISP’s ASN would still not be enough. This is rather pointless, anyone who walks away with the disk only will likely take the entire computer instead. But it was fun setting it up.
In the not so distant future, I’ll update this setup to use Shamir Secret Sharing more, where I’ll have three pins: my VPS (via Wireguard), a small computer somewhere else in my apartment, and a third at a neighbour (+ TPM on supporting computers).