𝔩𝔢𝔩𝕠𝔭𝔢𝔷
Buy Me a Coffee Connect With Me on LinkedIn
Theme

Homelab

SecureBoot & Encryption Prep

Preparing SecureBoot and TPM Disk Encryption for Talos

Overview

Before we can enable SecureBoot and TPM disk encryption, we need to prepare the ISO and configuration. This article covers the prep work: checking that the hardware supports TPM, generating a SecureBoot-enabled ISO, updating the cluster config with encryption settings, and writing a bootable USB. The actual node re-imaging happens in the next article. Nothing changes on the running cluster yet.

Tip:Having trouble? See v1.11.0 for what your setup should look like after completing this article.

Before You Begin

Prerequisites

  • Plex Hardening completed
  • USB drive (8GB+) for bootable installer
  • Physical access to nodes (BIOS changes required during re-image)

What We're Setting Up

ComponentBeforeAfter
Talos versionv1.11.6v1.12.4
Boot modeGRUB (legacy)UKI with SecureBoot
Installer imageinstallerinstaller-secureboot
STATE partitionUnencryptedLUKS21 with TPM
EPHEMERAL partitionUnencryptedLUKS2 with TPM
etcd dataPlaintext on diskEncrypted at rest

Why SecureBoot + TPM

Talos supports four disk encryption key types2:

Key TypeSecurityUse Case
TPMStrong (with SecureBoot)Hardware-bound keys sealed by TPM 2.0
nodeIDModerateDerived from node UUID (drive theft only)
staticWeakPassphrase in config (backup/recovery)
KMSStrongNetwork key management (enterprise)

TPM encryption needs SecureBoot to actually be secure2. Without SecureBoot, an attacker with physical access could modify the boot chain to extract TPM keys. SecureBoot verifies the entire boot chain: UEFI firmware loads a signed systemd-boot bootloader, which loads a signed Unified Kernel Image (UKI) containing the Talos kernel, initramfs, and command line arguments3. The TPM only unseals disk encryption keys when the measured boot chain matches the expected policy.

Tamper protection: Disk encryption is tied to TPM PCR register 7, which includes SecureBoot status and the set of enrolled keys3. If someone disables SecureBoot in BIOS or modifies the enrolled keys, the PCR measurement changes, the TPM refuses to unseal the disk encryption key, and the partitions remain encrypted. This means a BIOS password is not required for data protection. Disabling SecureBoot locks the attacker out rather than letting them in.

Why no fallback keys? Fallback keys (nodeID, static passphrase) weaken the encryption by providing lower-security paths to decrypt the same data. If a TPM fails, we wipe the node and re-provision it. The cluster already has resilience for this: GitOps rebuilds workloads from git, SOPS restores secrets, Longhorn backups restore persistent data, and etcd quorum survives single node loss. A failed TPM is just another re-provision, the same process documented in the next article.

Why a Fresh Install

You can't upgrade a non-UKI (GRUB-based) Talos installation to use UKI/SecureBoot, so it requires a fresh install3. This means each node must be re-imaged from a SecureBoot ISO. Since we're re-imaging anyway, we enable TPM disk encryption and upgrade from Talos v1.11.6 to v1.12.4 at the same time. A fresh install is the cleanest path to the latest stable release4.

What's Not In Scope

Custom SecureBoot signing keys: SecureBoot uses signing keys enrolled in UEFI firmware to verify the boot chain (separate from the TPM disk encryption keys generated per-node). We use Sidero Labs' pre-enrolled signing keys via Image Factory3, which means any Sidero-signed image would be trusted by our firmware. Custom key generation restricts trust to only images you sign yourself3. For a homelab, the Sidero Labs keys are sufficient; an attacker would need both physical access and a malicious Sidero-signed image.

Verify TPM Support

Query TPM Device

talosctl --nodes 192.168.10.30 read /sys/class/tpm/tpm0/device/description

Expected:

TPM 2.0 Device
Note:If you get an error reading the path, your nodes lack TPM. Use nodeID as the primary key instead of tpm in the encryption config below.

Security State

talosctl --nodes 192.168.10.30 get securitystate

Expected: SECUREBOOT shows false (not yet enabled).

Update Talos Configuration

Talhelper supports SecureBoot and disk encryption through the machineSpec and volumes fields5.

Update Talos Version

Since we're re-imaging from scratch, update to the latest stable Talos release4.

talos/talconfig.yaml:

# ... existing cluster config ...
talosVersion: v1.12.4 # CHANGE from v1.11.6
kubernetesVersion: v1.34.1
# ... existing cluster config ...

Enable SecureBoot and Encryption

Add machineSpec for SecureBoot and volumes for TPM disk encryption to each node. Talhelper automatically switches to the installer-secureboot image from Image Factory when secureboot: true is set5. The volumes field maps to Talos VolumeConfig resources2 for the STATE and EPHEMERAL partitions.

talos/talconfig.yaml:

# ... existing cluster config ...
nodes:
    - hostname: talos-node-1
      ipAddress: 192.168.10.30
      controlPlane: true
      machineSpec: # ADD
          secureboot: true
      installDiskSelector:
          # ... existing disk selector ...
      networkInterfaces:
          # ... existing network config ...
      schematic:
          # ... existing extensions ...
      volumes: # ADD
          - name: STATE
            encryption:
                provider: luks2
                keys:
                    - slot: 0
                      tpm: {}
          - name: EPHEMERAL
            encryption:
                provider: luks2
                keys:
                    - slot: 0
                      tpm: {}
      patches:
          # ... existing patches ...

Repeat for talos-node-2 and talos-node-3.

Important:The installer image must be the SecureBoot variant. Using the standard installer with SecureBoot enabled will fail to boot after installation. Talhelper handles this automatically when machineSpec.secureboot: true is set.
Note:The SecureBoot docs3 show machine.systemDiskEncryption as a patch; that format still works. The volumes field is the talhelper-native equivalent using the newer VolumeConfig resource format2.

Commit Changes

git add talos/talconfig.yaml
git commit -m "feat(talos): add secureboot, tpm encryption, upgrade to v1.12.4"
git push

Generate Node Configs

cd talos
SOPS_AGE_KEY_FILE=<(op document get "sops-key | homelab") \
  talhelper genconfig

Generate SecureBoot ISO

With machineSpec.secureboot: true in the config, talhelper automatically generates the correct SecureBoot image URL from Image Factory6.

Generate Image URL

cd talos
SOPS_AGE_KEY_FILE=<(op document get "sops-key | homelab") \
  talhelper genurl image

Expected: One URL per node ending in metal-amd64-secureboot.iso (all identical since they share the same extensions).

Download ISO

curl -LO "<URL from genurl output>"

Verify ISO

sudo dd if=metal-amd64-secureboot.iso bs=2048 skip=16 count=1 2>/dev/null | strings | grep -i talos

Expected: TALOS_V1_12_4 confirms the correct version was downloaded.

Note:The extensions in talos/talconfig.yaml determine the schematic ID in the URL. If you change extensions, the schematic ID changes and you need a new ISO.

Create Bootable USB

Identify Drive

diskutil list

Look for your USB drive (e.g., /dev/disk10). Note the disk identifier, not the partition (disk10, not disk10s1).

If reusing a previous USB, verify its contents by reading the ISO 9660 volume label:

sudo dd if=/dev/<disk> bs=2048 skip=16 count=1 2>/dev/null | strings | grep -i talos

Expected: TALOS_V<VERSION> (e.g., TALOS_V1_11_6) confirms it's a Talos installer.

Write ISO

# Unmount first (required)
diskutil unmountDisk /dev/<disk>

# CAUTION: will erase the drive!
# Use rdisk for faster writes (raw, bypasses buffer cache)
sudo dd if=metal-amd64-secureboot.iso of=/dev/r<disk> bs=1m

Eject

diskutil eject /dev/<disk>

Next Steps

The SecureBoot ISO and encryption config are ready. Now we can re-image each node with SecureBoot and TPM disk encryption enabled.

See: Secure Node Re-image

Resources

Footnotes

  1. Wikipedia, "Linux Unified Key Setup," en.wikipedia.org. Accessed: Mar. 2, 2026. [Online]. Available: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

  2. Sidero Labs, "Disk Encryption," docs.siderolabs.com. Accessed: Mar. 2, 2026. [Online]. Available: https://docs.siderolabs.com/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-encryption

  3. Sidero Labs, "SecureBoot," docs.siderolabs.com. Accessed: Mar. 3, 2026. [Online]. Available: https://docs.siderolabs.com/talos/v1.12/platform-specific-installations/bare-metal-platforms/secureboot

  4. Sidero Labs, "Talos v1.12.4 Release," github.com. Accessed: Mar. 7, 2026. [Online]. Available: https://github.com/siderolabs/talos/releases/tag/v1.12.4

  5. Budimanjojo, "Talhelper Configuration Reference," budimanjojo.github.io. Accessed: Mar. 7, 2026. [Online]. Available: https://budimanjojo.github.io/talhelper/latest/reference/configuration/

  6. Sidero Labs, "Image Factory," factory.talos.dev. Accessed: Mar. 3, 2026. [Online]. Available: https://factory.talos.dev

Previous
Plex Hardening
Next
Secure Node Re-image