I’m trying to build a headless server that has sensitive data on it and needs full disk encryption. I want it protected from physical theft and as far as I can brainstorm, that means at boot, the storage has to be unlocked manually. I know I can do this with remote access through remote console IPMI board but was wondering if I’ve just missed a way to solve this problem without using extra hardware. Have any of you homelabbers dealt with this problem set without using IPMI cards?

  • Fififaggetti@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If someone physically has your disks unless you have on the drive encryption your fucked. Even then I dunno. If it was created by humans it can be cracked by humans.

    Maybe better to move server to undisclosed location like a bank vault.

  • HITACHIMAGICWANDS@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Windows does bitlocker and works pretty well. Depending on what you’re trying to do this may be a good solution.

  • SamSausages@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I do this with ZFS using a Keyfile and a script that runs at boot to unlock/mount.

    I put the keyfiles on a USB drive. (Make sure you have backups!) This USB drive is hidden, I won’t go into details on how I did that, several ways to do that, you can get pretty creative.

    If someone steals my server, they need to know where I hid my USB, or they won’t be able to get to any of the encrypted datasets.

  • roiki11@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Depends what you want to do, there are a few alternatives for luks. TPM, nbde server, dropbear-ssh, usb key, yubikey.

    You can use any combination of the above with password being a fallback.

  • Eldiabolo18@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If you use luks, you can just add dropbear to have a ssh-server running and enter your password there.