this post was submitted on 22 Nov 2023
1 points (100.0% liked)

Homelab

380 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

I'm trying to build a headless server that has sensitive data on it and needs full disk encryption. I want it protected from physical theft and as far as I can brainstorm, that means at boot, the storage has to be unlocked manually. I know I can do this with remote access through remote console IPMI board but was wondering if I've just missed a way to solve this problem without using extra hardware. Have any of you homelabbers dealt with this problem set without using IPMI cards?

top 7 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 11 months ago (1 children)

If you use luks, you can just add dropbear to have a ssh-server running and enter your password there.

[–] [email protected] 1 points 11 months ago

That sounds like exactly what fits my situation. Thanks!

[–] [email protected] 1 points 11 months ago

If someone physically has your disks unless you have on the drive encryption your fucked. Even then I dunno. If it was created by humans it can be cracked by humans.

Maybe better to move server to undisclosed location like a bank vault.

[–] [email protected] 1 points 11 months ago (1 children)

Depends what you want to do, there are a few alternatives for luks. TPM, nbde server, dropbear-ssh, usb key, yubikey.

You can use any combination of the above with password being a fallback.

[–] [email protected] 1 points 11 months ago

dropbear-ssh is what I'm looking for. thanks!

[–] [email protected] 1 points 11 months ago

I do this with ZFS using a Keyfile and a script that runs at boot to unlock/mount.

I put the keyfiles on a USB drive. (Make sure you have backups!) This USB drive is hidden, I won't go into details on how I did that, several ways to do that, you can get pretty creative.

If someone steals my server, they need to know where I hid my USB, or they won't be able to get to any of the encrypted datasets.

[–] [email protected] 1 points 11 months ago

Windows does bitlocker and works pretty well. Depending on what you’re trying to do this may be a good solution.