I currently have a storage server with the following config.

Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os

I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.

My questions:

  1. Is there a better way to encrypt my data at rest?

  2. Is there a better layer at which to apply the encryption?

I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.

Thank you everyone for these great responses! I’ll be looking into these ideas :)

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    You can layer them however you want, so you can slap luks on the physical drives, or the mdraid, or the individual LVM volumes as you do right now. If the entire setup is either locked or unlocked, luks between the raid and LVM PV makes sense. Having luks on the individual LVs have the advantage that you can have your data partially unlocked.

    2FA is complicated. You can use a second factor like, you need to enter both a password and be in possession of the flash drive, but you can’t do it with the standard TOTP codes because you need the key to validate them in the first place.

    One thing you can explore is TPM: the computer can detect if it’s been tampered with, and if all checks out, it will unwrap the key. You can add a password or flash drive as a second factor. There’s also the whole smartcard rabbit hole.

    What exactly are you unsatisfied with? I think that’s a better starting point to advise on.

    • socphoenix@midwest.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 months ago

      Second the key-password combo. It keeps the keys you have on the flash drive but adds a password component that thieves would need to figure out as well. Just make sure to pick a good password!

  • constantokra@lemmy.one
    link
    fedilink
    English
    arrow-up
    7
    ·
    11 months ago

    Encrypt the boot drive, and use dropbear ssh in initramfs to be able to unlock it over ssh during boot. Then set up your data drives however you want, and use a key file on your boot drive to unlock them, once you’ve unlocked it. All drives are encrypted when your machine is off, and you only need one password you can enter remotely to unlock the whole thing.

    Here’s a good resource on how to do the initramfs part https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/

    Also, when you update the kernel you have to rebuild the initramfs with sudo update-initramfs -k all -u, or it won’t be able to boot to the new kernel.

    I’ve found it to be a super reliable setup.

    • ShortN0te
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      11 months ago

      Have not looked through the setup steps of that link, but using FDE with luks and remote ssh unlock for years and have not had any problems.

      Also, when you update the kernel you have to rebuild the initramfs with sudo update-initramfs -k all -u, or it won’t be able to boot to the new kernel.

      Shouldn’t that be automatically handled by apt? I dont remember that i have setup a hook for that and i never rebuild my initramfs manually.

      • constantokra@lemmy.one
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        I was a bit surprised at it as well, but it doesn’t for me running Debian headless. If I reboot after a kernel update it’ll try to boot into the new kernel and fail waiting for the initramfs, but it’ll boot just fine into the previous kernel. Once I update the initramfs it works fine.

        If you know what resources you used to set it up, I’d be curious to take a look and see if I missed something.

        • ShortN0te
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          Steps are basically not more then this (Can not find the original blog i followed but this is the small write up i have made years ago)

          • install dropbear
          • update config to your liking
          • copy public ssh keys over
          • run update-initramfs -u (has to be rerun on config change)
          • done (for the server part)

          For some reason i install busybox too in the personal write up. But i do not think it is necessary.

          • constantokra@lemmy.one
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            That’s basically the same as my writeup from when I did it. Except I also had a -k all on update-initramfs. Not sure about the switches, so I’ll look into them. Thanks.

  • Pumpkin Escobar@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    11 months ago

    TPM & secure boot. Look into sbctl for secure boot if you’re not on something that uses the signed shim like ubuntu. I know some hate secure boot but storing the unlock key in tpm is at least much more secure than having the key sitting on a usb drive

    Tang - network based unlock. If you have a separate raspberry pi or something you can set it up as a tang server. You’ll want that thing encrypted too, can set that up to require manual unlock so if someone boosts your servers the tang server never comes up, storage server won’t either

    Or just manually unlock the server with a password every boot?

    That’s roughly my prioritized/preferred list

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    11 months ago

    First off if I remember correctly there was some people complaining they lost everything with XFS so be careful.

    Secondly, could you use a iSCI volume? It would limit it to your laptop only but you should be able to encrypt it all.

    The other option is to encrypt some sort of file that holds your data.