Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, …in short, private stuff and I know that it’s pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻♂️
I encrypt devices that are portable. If someone raids my house I have bigger fish to fry.
If someone raids my house I have bigger fish to fry. Sure, but if it’s “free”, why not do it? My main worry was about performances, but since I’ve read that with AES-NI it doesn’t impact that much and since it seems not to be that complicated (let’s hope! 😁).
Have you tried secure-erasing a disk?
Absolutely yes, I do enctypt my drives so I don’t have to ever do that again. This isn’t as critical for SSDs but it’s still a good idea. Even if you keep the key stored on the same system, securely deleting a tiny file is way easier than a whole disk.
Have you tried secure-erasing a disk?
Once /dev/urandom is enough. Who cares if a state actor could theoretically recover your media library in an expensive lab.
Even that takes a while.
And it has other benefits. For example a dying disk. You can just throw that out. I once tried to wipe such a disk and it’s a chore. It makes weird clicking noises and slows down to the point where it’d take years to overwrite it. Occasionally the SATA controller resets etc. And it won’t succeed at overwriting stuff. Sure I could go to the garage, get the power tools, put the hdd into a vise and delete everything with a combination of hammer and drill… But it’s much more convenient to have it encrypted and not care.
You take the disk out, drill once through it (use a metal bit).
Done.
Takes a couple minutes.
Takes me about 2 seconds with a 5lb steel mallet.
Bold of you to assume sysadmins can wield a 5lb mallet. (I’m not completely sure what that is in real world weight, 2 ½ kg?).
Sure. It’s just effort. I have to go fetch the power tools, fetch the drills, if I want to do it correctly also mount a vise or go fetch a piece of scrap wood and some clamps… After that clean up and remove the metal chips from my apartment…
At work I’d additionally need 3 training courses to be allowed to operate the drill press and visit the workshop. The whole process is going to take half a year. And it’ll still not be certified that the information is now gone.
In an enterprise setting, it’s probably a bit of a hassle with everything having to follow some kind of process…
Somehow they don’t trust the software developers with operating heavy machinery 😆
Anyways, I think we’re moving away from the topic… At work I didn’t encrypt harddisks anyways. They just put the servers into a special area in the datacenter that has a fence and a separate lock.
At home I just encrypt stuff so I don’t have to remember what I put where and handle things differently. Of course everything depends on the specific scenario and threat model. I have a bit of stuff archived on my server that isn’t around anymore, could be a copyright violation. I also have my complete life stored there, documents, finances, emails of a decade, pictures, backups for family members, passwords for emergency access to things. Admin stuff and logfiles that I’m required by law (GDPR…) not to share. I also used to travel a lot with my laptop in the backpack and that can get stolen. At some point a long time ago I decided to encrypt my harddisks and stop worrying. Since at least 10 years there isn’t any speed penalty anymore and it takes like 20 seconds to set it up on Linux…
But I can also see why not everyone wants to do it this way.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System LVM (Linux) Logical Volume Manager for filesystem mapping MQTT Message Queue Telemetry Transport point-to-point networking NAS Network-Attached Storage NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency Plex Brand of media server package SATA Serial AT Attachment interface for mass storage SSD Solid State Drive mass storage SSH Secure Shell for remote terminal access VPS Virtual Private Server (opposed to shared hosting) ZFS Solaris/Linux filesystem focusing on data integrity Zigbee Wireless mesh network for low-power devices
12 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #686 for this sub, first seen 17th Apr 2024, 08:25] [FAQ] [Full list] [Contact] [Source code]
Yes of course, with dm-crypt (luks), very little as AES-NI is incredibly fast.
Do you insert the key/password manually every time (it’s a server, so not so many times, but could happen) you boot the server?
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
As mentioned in another comment I haven’t quite gotten it working but it should be possible to do this via SSH
No. I run my servers on low quality shit and I expect them to break any time. Never had to perform a data recovery but if I need, I’ll thank myself I didn’t encrypt my pics
Power user move!
I have two WebDAV shares, one unencrypted and one encrypted. The unencrypted one is for things that need to be read by other services, like legally obtained movies and tv shows. The encrypted one is for porn, mostly (also stuff like tax documents, legal contracts, etc).
This is the server I use
https://hub.docker.com/r/sciactive/nephele
It’s really easy to set it up for encryption. Also, I wrote it. :)
Do you honestly encrypt your porn? Why? (Assuming it’s legal)
Good question. I don’t have a clue either. It doesn’t contain any personal information. (Unless it’s self-made.) Usually isn’t unique. And nobody cares as there’s an abundance of porn available everywhere on the internet.
How are you certain all your porn is legal?
I think we both understand the intention behind my statement
On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.
How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?
TPM is a good way, Mine is setup to have encryption of / via TPM with luks so it can boot no issues, then actual sensitive data like the /home/my user is encrypted using my password and the backup system + fileserver is standard luks with password.
This setup allows for unassisted boot up of main systems (such as SSH) which let’s you sign in to manually unlock more sensative drives.
Isn’t that what a TPM could be used for?
i dunno is it? how to set that up?
I remember this blog post (I cannot find right now) where the person split the decryption password in two: half stored on the server itself and half on a different http server. And there was an init script which downloaded the second half to decrypt the drive. There is a small window of time between when you realize that the server is stolen and when you take off the other half of the password where an attacker could decrypt your data. But if you want to protect from random thieves this should be safe enough as long as the two servers are in different locations and not likely to be stolen toghether.
Files could be decrypted by the end user. The OS itself could remain unencrypted.
How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?
The only time my Server goes down, is when i manually reboot it. So waiting a minute or two, to ssh into it and entering the passphrase is no inconvenience.
TPM, but it’s a pain in the ass and breaks a lot. The new version of Ubuntu should handle it better, but if you’re not on Ubuntu, that won’t help you.
TPM solves a sigthly different threat model: if you dispose the hd or if someone takes it out from your computer it is fully encrypted and safe. But if someone steals your whole server it can start and decrypt the drive. So you have to trust you have good passwords and protection for each service you run. depending on what you want to protect for this is either great solution or sub optimal
I’m too lazy to look up the details. But you can have a small ssh server running as part of initrd. I think it’s dropbear. I log into that and unlock the root drive from there.
Of course that necessitates an unencrypted /boot/.
Did it on Debian and it was relatively easy to set up.
I‘m in the process of setting up a new NAS with Debian and disk encryption, and this is exactly what I’m struggling with. I’ve tried multiple guides for Dropbear but every time I try to SSH into the server to unlock it, I get “Permission denied”.
I don’t reboot my server that often. But I think I use a dedicated port and key for it. I don’t use them anywhere else. Maybe the key has to be a specific format for Dropbear.
This answer here covers it quite nice imo.
Important is that you update your initramfs with the command after you edited the dropbear initramfs config and or you copied the key over.
For the client it is important to define 2 different known hosts files since the same host will have 2 different host keys, 1 when encrypted with dropbear, and 1 when operational with (usually) sshd.
Also you need to use root when you connect to your server to unlock it. No other user will work with the default setup.
I was actually using my own user account instead of root, but now that you mention it… I’m not sure how that would even work so yeah that makes sense.
I did rebuild the initramfs after every change but did not manually copy the key file anywhere other than etc.
Will check out the link tomorrow. Thanks a lot for sharing!
Edit: tried again with root and it worked flawlessly :D
Use Clevis either with TPM or Tang (remote server) https://github.com/latchset/clevis
I use full disk encryption for every server (and other computers).
Encrypting your data drives is a must for everyone imho. Encrypting the OS is a must for me🤷♂️
My PC weighs 80+ lbs, live 8km from town, surrounded by farm land and there are only 3,400 in town and I live 30 min from a city of 40,000 and 40 min from another city of 70,000 and my internet is 20/10 mbps
What’s your point?
I think he is saying that his physical attack surface is very small since he is remote, so maybe he doesn’t bother?
Either way, encrypting drives is simply always good if you ever resell the computer or upgrade drives.
FreeAin’t no one stealing my shit, even via internet to upload 40tb would take 1 year 5 days at max speed in actuality it would be 1 year 8 months… Fuck I miss my 1.5G fibre connection…
Always, if nothing else it makes “wiping” them securely easier.
I don’t do anything that warrants it, but if I did have sensitive data that I was worried about being stolen, those drives would be in a system completely cut off from the Internet to prevent remote theft, and encrypted in the event of a physical theft. If I was especially paranoid, I’d booby trap the drives to wipe themselves if they are tampered with.
I want to, but haven’t found the time to make a strategy on how to move over the data. It would take a bunch of shuffling as all drives are in use. The next problem is decrypting at boot and securely storing the decryption key - if I choose to use a decryption key at all. Maybe it’ll be a usb key that I have to plug into the server when starting it, or I have to setup decryption of the system over SSH, but that means automated restarts are… difficult.
Not sure how to tackle the problem yet…
I use separate disks for data storage and my OS. That way a headless system can boot and all the services like SSH can become available, and I can decrypt the data drives remotely.
When there’s an unexpected reboot I can still get into my system and decrypt remotely which is nice. I can also move the data storage disks to another system without too much hassle.
I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted. An example of this might be torrenting software, I needed to make sure the temporary storage was on an encrypted volume. The software had a sane fault mode when the final storage location was unavailable, but freaked out for some reason when the temp storage was missing.
Once set up the whole thing is pretty easy to manage.
I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted
How did you achieve that? systemd dependency?
I’m pretty sure I didn’t mess with systemd, though that would probably be the right way to handle it.
I was able to update a runtime config so if any storage wasn’t available it just halted the service. Then I created a short script I’d invoke manually which decrypted the luks drives and brought the dependent services up. I also added monitoring to alert me when the drives weren’t available for whatever reason.
on my NAS i do and work data as well.
Yes.
My home server has dropbear-initramfs installed so that after reboot I can access the LUKS decryption prompt over SSH. The one LUKS partition contains a btrfs filesystem with both rootfs and home as subvolumes. For all the other drives attached to that system, I use ZFS native encryption with a dataset that decrypts with a keyfile from that rootfs and I have backups of an encrypted copy of that keyfile.
I don’t think there’s a substantial performance impact but I’ve never bothered benchmarking.
No,
There is all the backup of all my family pictures in the drives.
If something happens to me I want to make due that they will have access to it.
