Conversation
Toke Høiland-Jørgensen
toke
So apropos of nothing, how do y'all handle encryption at rest for your home server(s)?
I mean, I know how to setup full disk encryption, but how to provide the key? I'm talking about a headless setup on physical hardware, here.
My current solution is an initrd that spawns an SSH server and waits for me to manually login and supply the pass phrase on every boot. Which works, but it's kinda annoying, especially if there's a power failure while I'm somewhere I can't access SSH. Also, it kinda feels brittle (I keep fearing it won't come back up on the next reboot).
So does anyone have any better solutions?
#linux #security #encryption
I mean, I know how to setup full disk encryption, but how to provide the key? I'm talking about a headless setup on physical hardware, here.
My current solution is an initrd that spawns an SSH server and waits for me to manually login and supply the pass phrase on every boot. Which works, but it's kinda annoying, especially if there's a power failure while I'm somewhere I can't access SSH. Also, it kinda feels brittle (I keep fearing it won't come back up on the next reboot).
So does anyone have any better solutions?
#linux #security #encryption
2
2
2
@gd2
I was going to do TPM sealing on a recent install until I discovered that the server in question doesn't have a TPM chip.
That would definitely solve the "unattended" part (I think?), but would reduce the protection afforded by the encryption to making it easier to decommission the disks. Which I guess is the main benefit for an always-on server anyway?
I was going to do TPM sealing on a recent install until I discovered that the server in question doesn't have a TPM chip.
That would definitely solve the "unattended" part (I think?), but would reduce the protection afforded by the encryption to making it easier to decommission the disks. Which I guess is the main benefit for an always-on server anyway?
0
0
0