Comment

Comment on How do you secure your home lab? Like, physically? From thieves?

<- View Parent

WhyJiffie@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

how do you unlock the encrypted disks? is it manual, or did you automate it?

source

Sort:hotnew top

glizzyguzzler@piefed.blahaj.zone ⁨2⁩ ⁨months⁩ ago
One of the best uses of encryption is that you can pull drives that die and not have to try to wipe them as they die or smash them. They’re encrypted so it’s just gibberish. Mostly the reason to encrypt.

I auto-unlock with two things: a USB drive I put in the computer that it looks for and another computer on the network that hosts an unlock file. I’m not defending against nation-states or the Gestapo, regular rubes won’t notice the pi zero hidden that hosts the network file. USB drive is for just-in-case so I don’t have to type that long ass password ever.

I didn’t try hard, but I’m not sure how to make auto-unlocking more secure.

source
- huquad@lemmy.ml ⁨2⁩ ⁨months⁩ ago
  Especially if you stripe the data across multiple drives too
  
  source
lorentz@feddit.it ⁨2⁩ ⁨months⁩ ago
I have automated it with a small initramfs script which has half password and download the other half from internet. My threat model is to protect from a random thief. So they should connect it to a network similar to mine (same netmask and gateway) and boot it before I can remove the half key from internet.

some security which is on my TODO list is: allow fetching the half key only from my home IP and add some sort of alert for when it is fetched.

source
dreadbeef@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
Linux with LUKS can be configured to decrypt at boot

source
- WhyJiffie@sh.itjust.works ⁨2⁩ ⁨months⁩ ago
  ok, but where does it get the decryption key from. my real question is how did you implement automatic unlock securely
  
  source
  - dreadbeef@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
    you type it in on boot
    
    source
- frongt@lemmy.zip ⁨2⁩ ⁨months⁩ ago
  That kind of defeats the purpose then doesn’t it
  
  source
  - dreadbeef@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
    shut down and its encrypted? ofc you also have to have a decrypt password
    
    source
    frongt@lemmy.zip ⁨2⁩ ⁨months⁩ ago
    Oh, if there’s a password then that’s different.
    
    But they certainly can take it without unplugging it, if they really want to. For example: cdsg.com/products/hotplug-field-kit
    
    source
    -> View More Comments
fmstrat@lemmy.nowsci.com ⁨2⁩ ⁨months⁩ ago
Dropbear. You can run a small SSH server in initd that allows you to SSH in and type the encryption password. It doesn’t run a shell, just cryptsetup.

source