I use a headless server connected to nothing but an ethernet cable in my basement, and I’d prefer to allow the thing to boot by itself and start up without me needing to unlock the disk encryption every single time I do an update or power back on. Its a Dell 9500t NUC that I’m using it as a server and am wondering whether its possible to encrypt everything still.
I do generally use docker containers, so could I potentially encrypt just the containers themselves, assuming I’m worried about a smash and grab rather than someone keeping the machine powered up and reading my ram?
You must log in or # to comment.
If it can power up and decrypt the docker volumes on its own without prompting you for a password in your basement, it will also power up and decrypt the docker volumes on its own without prompting the robbers for a password in their basement
Exactly, I don’t get why people want (full disk) encryption, but with automounted keyfiles after reboot 😂
First reason I think of to use fde all the time even if it’s automatically unlocked, is it’s simple to securely delete everything all at once. Just delete all the keys or overwrite that section of the desk.
Depends on how you want to define “securely”. A sufficiently motivated attacker could attack the remaining encrypted data, either through brute force or exploiting a weakness in the algorithm.
If you find an encrypted drive, it’s extremely unlikely you can recover anything from it. If there is no LUKS header, it’s pretty much impossible.
assuming I’m worried about a smash and grab
For your specific use case, how about this:
Get a cheap USB thumb drive and a long USB cable. Put your disk unlock password on that thumb drive, and semi-permanently affix the USB drive to your building. You said you’re in a basement. Put it on top of a rafter with a metal fitting that would keep the drive from being taken without removing the screws. Run the long USB cable from the thumb driving in your rafter to the USB port on the machine. Alter your startup script to mount the thumb drive read the password from the thumb drive to unlock your main disk. Don’t forget to immediately unmount the thumbdrive in the OS after the disk is unlocked for extra safety.
If someone is doing a smash and grab, they’ll unplug all the cables (including this USB cable going to the thumb drive) and take your machine leaving the disk encryption password behind on the USB thumb drive.
This is a good idea. Use an cat5 USB extender for maximum range (100mt) and put the USB drive even further away.
Plus it just seems like a network cable. A bit of security obscurity.
Removed by mod
I read somewhere someone had their encryption key on their phone / another server and had the server pull the key via ftp on boot. Then the server and encryption key is separated but can decrypt its self as long on the ftp server is available.
Edit - might have been unraid where the OS and data drivers are separate
Check Mandos , if you are able to secure enough the server (inside a safe box?) then you are good
If you have TPM2 support on the motherboard it can be used to unlock LUKS encryption but has the following known vulnerability.
https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/
surprised no one has mentioned dropbear yet. i don’t remember the name off the top of my head, but there’s a relatively easy way to setup your initramfs to listen for SSH connections, authenticate with a private key, and send the unlock key. bonus points for writing a script to do it automatically with cute names, e.g. “sendkey helium.intra” or whatever
https://www.golinuxcloud.com/network-bound-disk-encryption-tang-clevis/
something like clevis/tang might help but ultimately if someone has physical access to your box then they can potentially get it all anyways 🤷
Yes, you can have docker scripts decrypt a drive/storage. You might also consider an encrypted home partition separate from the root partition, or user space encryption of your home directory.
deleted by creator
