I’ve done a little research but curious about first hand experience.

I’ve got a little home server that is full disk encrypted with LUKS (+LVM, of course). It’s headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.

If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.

Because lazy, I’d prefer to be able to enter the decrypt password remotely. “Dropbear” seems to be a common suggestion but I haven’t tried it yet.

So, asking for your experience or recommendations.

I’ll start. Recommendation #1 - get a UPS : D … But besides that.

Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a “auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password” jump point.

  • clif@lemmy.worldOP
    link
    fedilink
    arrow-up
    1
    ·
    9 days ago

    I’d imagine that if you have physical access and don’t mind plugging in a USB then that’s the easier route.

    My personal goal is to be able to unlock it remotely in two main scenarios :

    1. I’m lazy and don’t want to have to awkwardly fumble at plugging in something. So, SSH to it from the same room and unlock it from my desktop.
    2. Server got rebooted while I’m away from home but I would really like it to be up and running again for something I need but I don’t have physical access at the time.

    Both of those situations lean towards a remote unlock with no USB. The first one is absolutely doable because I have local access and could plug a device in, it’s just awkward. On the second, physical access is impossible so it must be done remotely.

    I mentioned it in another comment but the remote unlock while away from home presents extra challenges for me because I access my server externally via Tailscale. Since Tailscale isn’t available at boot (pre-decrypt), then I’ll have to tailnet+ssh to another machine on the LAN (that doesn’t require a boot password/unlock) and then SSH from that machine to the server to enter the LUKS password to allow boot to continue. Sounds feasible, though perhaps a little clunky. That’s my current plan and hoping to try it out this weekend if time permits.

    • paequ2@lemmy.today
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 days ago

      Ah, cool cool. Makes sense. Are you unlocking 1 disk or many disks with the dropbear setup?

      • clif@lemmy.worldOP
        link
        fedilink
        arrow-up
        1
        ·
        9 days ago

        Just one… For now :)

        It’s a Lenovo Tiny refurb and came with a 1TB NVMe which is plenty for playing around but I’ll have to expand if I move my Jellyfin instance to it.

        • paequ2@lemmy.today
          link
          fedilink
          arrow-up
          2
          ·
          8 days ago

          Ah, nice ok. Your post got me to look at dropbear a little more closely, but since I got a bunch of disks, I think USB unlock makes more sense in my setup. I’m using a keyfile on the USB to unlock a bunch of disks on boot. But if I only had one, then dropbear would be more doable for me.

          Neat! Interesting post!