I’m trying to build a headless server that has sensitive data on it and needs full disk encryption. I want it protected from physical theft and as far as I can brainstorm, that means at boot, the storage has to be unlocked manually. I know I can do this with remote access through remote console IPMI board but was wondering if I’ve just missed a way to solve this problem without using extra hardware. Have any of you homelabbers dealt with this problem set without using IPMI cards?
You must log in or register to comment.
I do this with ZFS using a Keyfile and a script that runs at boot to unlock/mount.
I put the keyfiles on a USB drive. (Make sure you have backups!) This USB drive is hidden, I won’t go into details on how I did that, several ways to do that, you can get pretty creative.
If someone steals my server, they need to know where I hid my USB, or they won’t be able to get to any of the encrypted datasets.
If you use luks, you can just add dropbear to have a ssh-server running and enter your password there.
That sounds like exactly what fits my situation. Thanks!
Depends what you want to do, there are a few alternatives for luks. TPM, nbde server, dropbear-ssh, usb key, yubikey.
You can use any combination of the above with password being a fallback.
dropbear-ssh is what I’m looking for. thanks!
If someone physically has your disks unless you have on the drive encryption your fucked. Even then I dunno. If it was created by humans it can be cracked by humans.
Maybe better to move server to undisclosed location like a bank vault.
Windows does bitlocker and works pretty well. Depending on what you’re trying to do this may be a good solution.