So I was reading this. And it seems pretty good. In my current set up if my server ever just restarts or something I just kind of don’t have it until I get home. Which is no issue because my set up is just local anyway hehe. Still I am thinking of changing my set up to be more of a real server. I don’t really need the encryption, but I have it and feel I should use it out of some principle of the matter.
So what is the workflow that people use if they need to restart or there is a power outage and want the server to turn itself back on, but no one would be around to unlock the LUKS?
You must log in or # to comment.
I don’t really need the encryption
In this case I’d say, LUKS is an overkill and just complicates your life. Try to think of a worst case scenario and what you are trying to protect against. Full disk encryption protects you against someone physically and clandestinely tampering with your server to compromise you by altering your OS, I’d say most selfhosters aren’t at risk of this (I do use LUKS on my laptop, because if I’m not available to decrypt the drive then there’s no reason for it to get decrypted). My approach to the server is to have encrypted directories as needed. For example the SFTP directory, the logic being that some of what’s there may be sensitive, so encryption at rest prevents leakage after the drive is eventually disposed of. But my Git repos (including private ones) and calendar aren’t encrypted at rest. Other services (e.g. Matrix, Borg, Vaultwarden) provide E2E so don’t really need further encryption.
I use Clevis and Tang setup. I installed tang on RPi which also my NUT server. I installed clevis on all my Linux servers for the network-bound disk encryption.
NUT server
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
The top paragraph is something I was curious about, the second reminded me that I have an RPI 3B that is not doing anything…
You can configure Dropbear to allow SSH unlocking. I have also heard of some key management software over network that can perform this role for you as well.
This is how I do it. I followed this guide to get it set up, and this one to make it work behind a VPN (Tailscale)
I’ve never heard of Dropbear. Seems like a handy thing
You could setup LUKS TPM unlocking.
I actually looked into that, but my server is a very old optiplex that dos not have one.
Maybe a setup FIDO2 LUKS unlocking, but that requires a security key: https://www.privacyguides.org/en/security-keys/
I have an initramfs script which knows half decription key and fetches the other half from internet.
My threat model is: I want to be able to dispose safely my drives, and if someone steals my NAS needs to connect it to a similar network of mine (same gateway and subnet) before I delete the second half of the key to get my data.
I literally set up encryption on a server with a usb drive a couple weekends ago, I did a writeup on my blog if you’re interested
