[deleted]
You can configure Dropbear to allow SSH unlocking. I have also heard of some key management software over network that can perform this role for you as well.
[deleted]
Submitted 4 days ago by InternetCitizen2@lemmy.world to selfhosted@lemmy.world
Comments
ryokimball@infosec.pub 4 days ago
vhstape@lemmy.sdf.org 4 days ago
This is how I do it. I followed this guide to get it set up, and this one to make it work behind a VPN (Tailscale)
irmadlad@lemmy.world 3 days ago
Dropbear
The drop bear is a hoax in contemporary Australian folklore featuring a predatory, carnivorous version of the koala. This imaginary animal is commonly spoken about in tall tales designed to scare tourists.
It always fascinates me where the names for opensource software originate(?) Just the naming nomenclature itself is a glimpse into the dev’s culture, country of origin, or various odd bits of colloquialism. Very interesting to a guy who digs etymology. In this case it might be coincidental, but it’s still interesting.
InternetCitizen2@lemmy.world 4 days ago
I’ve never heard of Dropbear. Seems like a handy thing
Neptr@lemmy.blahaj.zone 4 days ago
You could setup LUKS TPM unlocking.
InternetCitizen2@lemmy.world 4 days ago
I actually looked into that, but my server is a very old optiplex that dos not have one.
Neptr@lemmy.blahaj.zone 4 days ago
Maybe a setup FIDO2 LUKS unlocking, but that requires a security key: www.privacyguides.org/en/security-keys/
gabmus@retrolemmy.com 3 days ago
I literally set up encryption on a server with a usb drive a couple weekends ago, I did a writeup on my blog if you’re interested
lorentz@feddit.it 3 days ago
I have an initramfs script which knows half decription key and fetches the other half from internet.
My threat model is: I want to be able to dispose safely my drives, and if someone steals my NAS needs to connect it to a similar network of mine (same gateway and subnet) before I delete the second half of the key to get my data.
imnotroot@lemmy.ml 3 days ago
I use Clevis and Tang setup. I installed tang on RPi which also my NUT server. I installed clevis on all my Linux servers for the network-bound disk encryption.
lazynooblet@lazysoci.al 3 days ago
NUT server
irmadlad@lemmy.world 3 days ago
I need a nut server.
observantTrapezium@lemmy.ca 3 days ago
I don’t really need the encryption
In this case I’d say, LUKS is an overkill and just complicates your life. Try to think of a worst case scenario and what you are trying to protect against. Full disk encryption protects you against someone physically and clandestinely tampering with your server to compromise you by altering your OS, I’d say most selfhosters aren’t at risk of this (I do use LUKS on my laptop, because if I’m not available to decrypt the drive then there’s no reason for it to get decrypted). My approach to the server is to have encrypted directories as needed. For example the SFTP directory, the logic being that some of what’s there may be sensitive, so encryption at rest prevents leakage after the drive is eventually disposed of. But my Git repos (including private ones) and calendar aren’t encrypted at rest. Other services (e.g. Matrix, Borg, Vaultwarden) provide E2E so don’t really need further encryption.
glitching@lemmy.ml 3 days ago
have the data drive (movies, backups, etc) get decrypted with a keyfile from the system SSD. you’re safe to lose, throw away, sell your data drive and don’t have to bother with shredding the data. this takes hours for drives of any significant size.
glizzyguzzler@piefed.blahaj.zone 4 days ago
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
InternetCitizen2@lemmy.world 4 days ago
The top paragraph is something I was curious about, the second reminded me that I have an RPI 3B that is not doing anything…