veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

F4: No LUKS on nullstone — full-disk encryption missing #1

New issue
Open
opened 2026-05-06 10:56:39 +01:00 by s8n · 0 comments
s8n commented 2026-05-06 10:56:39 +01:00
Owner
Copy link

Severity: Critical — Risk Score 20/25
Status: Accepted long-term risk, pending rebuild window

/dev/nvme0n1p3 is a raw LVM PV — no LUKS layer. All logical volumes (root, home, var, swap) plaintext. Matches 2026-04-11 audit finding — 13 months unremediated.

Threat model: Drive theft, evil-maid live-USB, cold-boot RAM extraction.

Impact if compromised: LE account key, Gandi PAT, Tuwunel registration tokens (×2), LiveKit signing key, Headscale noise + machine + preauth keys, Mongo creds, RC admin pw, n8n owner creds, simplex plaintext archive, friend's tailnet identity.

Fix: Reinstall with LUKS2 (argon2id) on p3 + encrypted swap + TPM2 unlock with Secure Boot measurement chain.

Verification: cryptsetup luksDump /dev/nvme0n1p3 shows LUKS2 + argon2id + 100k+ iter count.

Blocked on: scheduled maintenance window — server is single-host, requires data migration plan first.

Source: security/nullstone-server/2026-05-02.md §F4.

**Severity:** Critical — Risk Score 20/25 **Status:** Accepted long-term risk, pending rebuild window `/dev/nvme0n1p3` is a raw LVM PV — no LUKS layer. All logical volumes (root, home, var, swap) plaintext. Matches 2026-04-11 audit finding — 13 months unremediated. **Threat model:** Drive theft, evil-maid live-USB, cold-boot RAM extraction. **Impact if compromised:** LE account key, Gandi PAT, Tuwunel registration tokens (×2), LiveKit signing key, Headscale noise + machine + preauth keys, Mongo creds, RC admin pw, n8n owner creds, simplex plaintext archive, friend's tailnet identity. **Fix:** Reinstall with LUKS2 (argon2id) on `p3` + encrypted swap + TPM2 unlock with Secure Boot measurement chain. **Verification:** `cryptsetup luksDump /dev/nvme0n1p3` shows LUKS2 + argon2id + 100k+ iter count. **Blocked on:** scheduled maintenance window — server is single-host, requires data migration plan first. Source: `security/nullstone-server/2026-05-02.md` §F4.
s8n added the
audit
infra
critical
security
deferred
 labels 2026-05-06 10:56:39 +01:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
backup/pre-rename-2026-05-07/main
No results found.
Labels
Clear labels   
audit

   
critical

   
deferred

   
high

   
infra

   
medium

   
security
No labels
audit
critical
deferred
high
infra
medium
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/infra#1
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?