![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
I was more suggesting that it might be a bit eldritch, but sometimes humor doesn’t come across quite right/
The linked paper is focused on studying the ‘perforation-type anchor’ they use to hold the tissue to the mold as it grows, rather than keeping it alive afterwards. During growth the tissue and mold were submerged, or partially submerged, in a suitable medium to keep the cells healthy, and it was only when the resulting models were tested that they were removed (although one test did seem to involve letting it dry out to see if the anchors held). Growing the various layers of cells seems to be a solved problem, and I suspect that includes keeping them supplied with nutrients and such, so the authors aren’t examining that. What’s not solved is how to keep the tissue attached to a robot, which is what the authors were studying.
Sorry for the slow reply, life occurred.
I think I understand where you’re coming from with the desired to be productive and not reinstall. I think I’ve been there too! One thing that I can suggest, if you do have the time, is to learn a system like Ansible and use it to setup and configure your machine. The discipline of keeping all of the config as source rather than making ad-hoc changes reduces the chance of thinking you’ll make just one little change and breaking something, and, if something does go wrong, you can get back to your working configuration quickly.
Bearing in mind that there really isn’t anything you can do to stop yourself if you’re really determined to not lose the data, because if you can read it at any time you can back it up, the closest you are likely to come is something like creating new key with GPG then using the TPM to wrap your secret key and deleting the original. That way the key is only usable on that specific machine. Then use the key-pair to encrypt your ‘guard’ files. You can still decrypt them because you have the wrapped secret keys and you’re on the same machine, but if you wipe the drive and lose those keys the data is gone. The TPM wrapping prevents you from taking the keys to a different machine to decrypt your data.
There’s an article with some examples here,
Having said all of that, this still doesn’t help if you just clone the disk as all of the data, including the wrapped key and the encrypted files will be cloned. The one difference there is that the serial number of the hard drive will be different. Maybe you could use that, combined with a passphrase as the passphrase for your GPG key, but we’re getting into pretty esoteric territory here. So you could generate a secret key with a command like:
( lsblk -dno SERIAL /dev/sdb ; zenity --title "Enter decrypt password" --password) | sha1sum | cut -c1-40
Where
/dev/sdb
is the device your root partition is on.zenity
is a handy utility for displaying dialogs, there are others available. In this use it just prompts for a passsword. We then concatenate the drive serial number fromlsblk
with the password you entered and hash the result. The hashing is really only a convenient way to mix the two without worrying about the newlinelsblk
spits out. Don’t record the result of this command, but use it to set the passphrase on your newGPG
key. Wrapping the secret key in the manner the article above suggests is a nice extra step to make it harder to move the drive to another machine or mess around in that sort of way, but not strictly necessary as that wasn’t in the scope of your original question.Now you can encrypt your file with:
gpg -e -r <your key name> <your file>'. That will produce an encrypted version of
<your file>called
<your file>.gpg. To decrypt the file you can get
gpg` to use the hashing command from above to get the passphrase with something like:gpg -d --pinentry-mode=loopback --batch --passphrase-fd 3 <your file>.gpg 3< <( ( lsblk -dno SERIAL /dev/sdb ; zenity --title "Enter decrypt password" --password) | sha1sum | cut -c1-40 )
Once you’ve tested that you can decrypt the file successfully you can remove the original, plaintext, file. Your data is now encrypted with a key that is secured with a passphrase made of a string you know and the serial number of your disk and optionally wrapped with a key from the TPM that is tied to your physical machine. If you change the disk or the machine the data is irretrievable (ignoring the caveats discussed above). I think that’s about as close to your original goal as you can get. It’s rough around the edges, and I’m not sure I’d trust my data to it, but I believe it’ll work. If you do something like this, please test it thoroughly, I can’t guarantee it!