Hello All, I am developing on something that I call "An encrypted overlay file system with tpm2.0" for coreos. The feature is basically a new dracut module which will mount a new file system on top of the normal file system as an overlay. This new file system is luks encrypted and the disk encryption key can be stored in the tpm2.0 chipset. I have added a new cmdline argument which represents the following: -What is the device name for the encrypted data (the 'writes' will go on this partitions). -The disk encryption key is sealed to what PCRs -The nvram index where the disk encryption key is
Missing features that is maybe helpful: -Master recovery passphrase if the tpm2.0 fails to give the disk encryption key I would like to ask some input and also on what you think on this feature. Is it needed, you see reasonable chance that this merge request will be accepted. The code is not fully polished, but here are the two repositories: https://github.com/rasztasd/coreos-overlay https://github.com/rasztasd/bootengine I would like to merge it as soon as possible (if possible), so any input will be appreciated. Br, Dani
