Huge pain in the ass to set up, but from the user's end of things it was pretty easy to do.
Some years ago, I had a client with a really fucked up set of requirements:
This was during the days when booting into a LUKS encrypted Gentoo install involved copy-and-pasting a shell script out of the Gentoo wiki and adding it to the initrd. I want to say late 2006 or early 2007.
I remember creating a /boot partition, a tiny little LUKS partition (512 megs, at most) after it, and the rest of the drive was the LUKS encrypted root partition. The encrypted root partition had a randomly generated keyfile as its unlocker; it was symmetrically encrypted using gnupg and a passphrase before being stored in the tiny partition. The tiny partition had a passphrase to unlock it. gnupg was in the initrd. I think the workflow went something like this:
I don't miss those days.
Just like archeologists having to call dildos they find "religious objects," it all depends on how much you want to risk your reputation and research funding.
It would probably be more reliable to partition and format the new drive manually and use rsync
to copy everything over. Updating /etc/fstab with the new UUIDs isn't a big deal (though you can also manually specify the partition UUIDs at time of format - mkfs.btrfs --uuid ...
) (you didn't say what file system your /boot partition was using, so I don't want to guess).
It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we'd have to get everything re-vetted yearly.
That's kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.
@drwho
@beehaw.org