Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, …in short, private stuff and I know that it’s pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻‍♂️

  • Björn Tantau@swg-empire.de
    link
    fedilink
    English
    arrow-up
    9
    ·
    7 months ago

    I’m too lazy to look up the details. But you can have a small ssh server running as part of initrd. I think it’s dropbear. I log into that and unlock the root drive from there.

    Of course that necessitates an unencrypted /boot/.

    Did it on Debian and it was relatively easy to set up.

    • Akinzekeel@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I‘m in the process of setting up a new NAS with Debian and disk encryption, and this is exactly what I’m struggling with. I’ve tried multiple guides for Dropbear but every time I try to SSH into the server to unlock it, I get “Permission denied”.

      • ShortN0te@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        This answer here covers it quite nice imo.

        https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot

        Important is that you update your initramfs with the command after you edited the dropbear initramfs config and or you copied the key over.

        For the client it is important to define 2 different known hosts files since the same host will have 2 different host keys, 1 when encrypted with dropbear, and 1 when operational with (usually) sshd.

        Also you need to use root when you connect to your server to unlock it. No other user will work with the default setup.

        • Akinzekeel@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          7 months ago

          I was actually using my own user account instead of root, but now that you mention it… I’m not sure how that would even work so yeah that makes sense.

          I did rebuild the initramfs after every change but did not manually copy the key file anywhere other than etc.

          Will check out the link tomorrow. Thanks a lot for sharing!

          Edit: tried again with root and it worked flawlessly :D

      • Björn Tantau@swg-empire.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        I don’t reboot my server that often. But I think I use a dedicated port and key for it. I don’t use them anywhere else. Maybe the key has to be a specific format for Dropbear.