Submitted 4 months ago by InternetCitizen2@lemmy.world to selfhosted@lemmy.world
I have an initramfs script which knows half decription key and fetches the other half from internet.
My threat model is: I want to be able to dispose safely my drives, and if someone steals my NAS needs to connect it to a similar network of mine (same gateway and subnet) before I delete the second half of the key to get my data.
I don’t really need the encryption
In this case I’d say, LUKS is an overkill and just complicates your life. Try to think of a worst case scenario and what you are trying to protect against. Full disk encryption protects you against someone physically and clandestinely tampering with your server to compromise you by altering your OS, I’d say most selfhosters aren’t at risk of this (I do use LUKS on my laptop, because if I’m not available to decrypt the drive then there’s no reason for it to get decrypted). My approach to the server is to have encrypted directories as needed. For example the SFTP directory, the logic being that some of what’s there may be sensitive, so encryption at rest prevents leakage after the drive is eventually disposed of. But my Git repos (including private ones) and calendar aren’t encrypted at rest. Other services (e.g. Matrix, Borg, Vaultwarden) provide E2E so don’t really need further encryption.
I literally set up encryption on a server with a usb drive a couple weekends ago, I did a writeup on my blog if you’re interested
I use Clevis and Tang setup. I installed tang on RPi which also my NUT server. I installed clevis on all my Linux servers for the network-bound disk encryption.
NUT server
I need a nut server.
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
The top paragraph is something I was curious about, the second reminded me that I have an RPI 3B that is not doing anything…
You could setup LUKS TPM unlocking.
I actually looked into that, but my server is a very old optiplex that dos not have one.
Maybe a setup FIDO2 LUKS unlocking, but that requires a security key: www.privacyguides.org/en/security-keys/
You can configure Dropbear to allow SSH unlocking. I have also heard of some key management software over network that can perform this role for you as well.
This is how I do it. I followed this guide to get it set up, and this one to make it work behind a VPN (Tailscale)
Dropbear
The drop bear is a hoax in contemporary Australian folklore featuring a predatory, carnivorous version of the koala. This imaginary animal is commonly spoken about in tall tales designed to scare tourists.
It always fascinates me where the names for opensource software originate(?) Just the naming nomenclature itself is a glimpse into the dev’s culture, country of origin, or various odd bits of colloquialism. Very interesting to a guy who digs etymology. In this case it might be coincidental, but it’s still interesting.
I’ve never heard of Dropbear. Seems like a handy thing
glitching@lemmy.ml 4 months ago
have the data drive (movies, backups, etc) get decrypted with a keyfile from the system SSD. you’re safe to lose, throw away, sell your data drive and don’t have to bother with shredding the data. this takes hours for drives of any significant size.