Comment on Advice on encrypted storage
constantokra@lemmy.one 4 months ago
Encrypt the boot drive, and use dropbear ssh in initramfs to be able to unlock it over ssh during boot. Then set up your data drives however you want, and use a key file on your boot drive to unlock them, once you’ve unlocked it. All drives are encrypted when your machine is off, and you only need one password you can enter remotely to unlock the whole thing.
Here’s a good resource on how to do the initramfs part arminpech.de/…/debian-unlock-luks-root-partition-…
Also, when you update the kernel you have to rebuild the initramfs with sudo update-initramfs -k all -u, or it won’t be able to boot to the new kernel.
I’ve found it to be a super reliable setup.
ShortN0te@lemmy.ml 4 months ago
Have not looked through the setup steps of that link, but using FDE with luks and remote ssh unlock for years and have not had any problems.
Shouldn’t that be automatically handled by apt? I dont remember that i have setup a manually hoom for that and i never rebuild my initramfs manually.
constantokra@lemmy.one 4 months ago
I was a bit surprised at it as well, but it doesn’t for me running Debian headless. If I reboot after a kernel update it’ll try to boot into the new kernel and fail waiting for the initramfs, but it’ll boot just fine into the previous kernel. Once I update the initramfs it works fine.
If you know what resources you used to set it up, I’d be curious to take a look and see if I missed something.
ShortN0te@lemmy.ml 4 months ago
Steps are basically not more then this (Can not find the original blog i followed but this is the small write up i have made years ago)
For some reason i install busybox too in the personal write up. But i do not think it is necessary.
constantokra@lemmy.one 4 months ago
That’s basically the same as my writeup from when I did it. Except I also had a -k all on update-initramfs. Not sure about the switches, so I’ll look into them. Thanks.