Comment on Encrypting data on local servers?
ryokimball@infosec.pub 2 weeks ago
This has been on my mind, I have yet to do it but the implementation seems trivial.
You can use typical luks full disk encryption with a password. Luks actually has five password slots. Passwords do not have to be actual text, they can be a file or even part of a file.
So my idea is, buy some really cheap, low profile USB flash drives and store some seemingly innocuous data like cat pictures or public domain books, IDK and it doesn’t matter what the actual data is. Use full disk encryption and set a regular password, then add a second password that is a file or part of a file that lives on the flash drives, and have it set up to look for that file on boot as an option for unlocking.
Now the disc is fully encrypted but will boot/reboot without interruption as long as the flash drive is installed. You can remove the flash drive when you’re feeling paranoid, or even better only install it when you are going to be away for a while. If you leave with the machine having the flash drive but are feeling worried, you can remote into the machine and edit / delete the file or just clear the key slot from Luks.
That’s what’s been on my mind, anyway. I think the typical suggestion/solution is to just use drop bear and remotely unlock using that, or don’t use full disk encryption and selectively encrypt your data instead (partitions or userspace encryption).
I’m not going to proofread this so I hope it makes sense
ladfrombrad@lemdro.id 1 week ago
I like this, and I suppose it’s a shame a Rasp Pi can’t be WOL’ed.
But could another SFF single use/secured device on the same network that doesn’t have FDE, also provide that key only if and when you wake it up (manually decrypt the file after ssh’ing into it too?) instead of having a USB drive directly plugged into the main server so, if a nefarious person does have away with the main bounty they’re fugged without said second hidden device on the same network?
ryokimball@infosec.pub 1 week ago
I just bought some PoE hats for my rpis, and have a managed PoE switch; rumor is, this combo basically translates to rPi WoL.
(Not meaning to ignore the rest of your comment, but not in a position to respond fully)
ladfrombrad@lemdro.id 1 week ago
That would be neat.
Like someone else said in here maybe the OP could use a really long cable to a USB drive away from the main server, but I do like the idea of something using hybrid wire(less) to auth.
They could even have a UPS underneath a Pi Zero and, have a PoE HAT too + travel router. Plug in LTE USB with backup SIM card, epoxy all that together and then hide it?
lol, paranoia fixed.