From nobody Thu May 21 23:01:07 2026 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gM3mw0yHvz6fBTC for ; Thu, 21 May 2026 23:01:20 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [46.21.153.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gM3mv3pM0z3p8r for ; Thu, 21 May 2026 23:01:19 +0000 (UTC) (envelope-from pete@nomadlogic.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org; s=04242021; t=1779404444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nTmRcWOHYmuJkpA6gAl/ONZBsytKWFmMeA0brSDmc5w=; b=D6waUPHM/KZWxovQZM3UTUGS5KFLYFiNhLcxE0EqVTcL79pX3hn9VS0r6jhXrOcZQyx68T 6NBK1IeUzq/wCsI/onuOILbcAQaDlmAA2mHA65YF2zU+iP7BXjrrEOpztN9+aawqS/0IDN Auu1wkHfNJgvfAa/bywZH0P2bUrsoe4= Received: from [192.168.1.20] (47-154-29-181.fdr01.snmn.ca.ip.frontiernet.net [47.154.29.181]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id ad44e9e9 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 21 May 2026 23:00:44 +0000 (UTC) Message-ID: <336e1325-ba66-4804-8c39-c7e7530adcce@nomadlogic.org> Date: Thu, 21 May 2026 16:01:07 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Terminal server with consumer hardware To: Polarian , freebsd-questions@freebsd.org References: <20260521233422.001d364f@Hydrogen> Content-Language: en-US From: Pete Wright In-Reply-To: <20260521233422.001d364f@Hydrogen> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29802, ipnet:46.21.153.0/24, country:US] X-Rspamd-Queue-Id: 4gM3mv3pM0z3p8r X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On 5/21/26 3:34 PM, Polarian wrote: > Hello list, > > This has been discussed on #freebsd a few times now with no success. > > A common reason you don't full disk encrypt servers is because it makes > unattended boot difficult. I believe TPM encryption is now supported > recently but undocumented (correct me if I am wrong), however TPM only > protects against decryption AFTER you dispose of the disks, if they > have the hardware and the disks, its pointless unless paired with > keydisk or passphrase. Keydisk works, but requires you to plug in the > keydisk to boot, making it infeasible to attend a boot remotely. This > leaves passphrase, which is possible to attend a boot remotely provided > you have access. > > Loader supports serial, or a KVM. KVM requires graphics, and on my > server there is no integrated graphics, this means powering a graphics > card (extra 10-15w) which if you are running 24/7, is more costly. > > This makes serial ideal, its simple, doesn't require much power, and > unlike a KVM, a cheap RPI is all you need. > > My setup is a RPI running OpenBSD which is accessible via ssh, > connected to the FreeBSD server by two WinChipHead CH9102/343/341/340 > (not sure which exact chip it is) TTL usb adapters, with the rx and tx > soldered together, transitively, a usb to usb serial adapter. > sorry may have missed this, but why not use IPMI and serial-over-lan? this is pretty much exactly the use-case it was created for, and most if not all server class motherboards support it. for systems where i need full-disk encryption of my root volume i'm able to provide pass key's via remote console, and it allows you to manage the devices hardware too. -pete -- Pete Wright pete@nomadlogic.org