So far I really like Fedora CoreOS and I am using it on a few BareMetal installations with Clevis.
To my knowledge you can decrypt the disk as soon as you managed to boot an OS on the hardware. (because you have access to the TPM and can read the luks header)
I have done a few things to keep anyone from reading the disk or booting something else:
- root luks (clevis tpm2) as described in the docs here
- removed ignition leftover after the setup (/boot/ignition) as it contains sensitive data and the boot partition is not encrypted
- added grub2 password to the static grub.cfg (I don’t want anyone booting into single user mode)
- enabled secure boot (seems to be working out of the box with shim)
- restricted BIOS access, boot options, etc. (not related to fcos)
Is there anything else I can do? Do you have any tips?
Thanks & Regards,