Wireguard connects to a cloud VPS that acts as the mandos server and then grabs the key from mandos.
All my systems are protected by LUKS aside from /boot which in my case simply holds the wireguard config and what’s required to get the key from mandos. Yes this leaves the wireguard keys exposed but I’m not concerned since in my case they’re only good for this purpose and it’s easy to disable a peer. Plus the VPS has nftables rules that only allow traffic on the wireguard interface to a single port that the mandos server listens on.
Mandos and wireguard inside initramfs.
Wireguard connects to a cloud VPS that acts as the mandos server and then grabs the key from mandos.
All my systems are protected by LUKS aside from /boot which in my case simply holds the wireguard config and what’s required to get the key from mandos. Yes this leaves the wireguard keys exposed but I’m not concerned since in my case they’re only good for this purpose and it’s easy to disable a peer. Plus the VPS has nftables rules that only allow traffic on the wireguard interface to a single port that the mandos server listens on.