this post was submitted on 16 Apr 2024
90 points (97.9% liked)

Selfhosted

39435 readers
2 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, ...in short, private stuff and I know that it's pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻‍♂️

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 7 months ago (1 children)

I'm too lazy to look up the details. But you can have a small ssh server running as part of initrd. I think it's dropbear. I log into that and unlock the root drive from there.

Of course that necessitates an unencrypted /boot/.

Did it on Debian and it was relatively easy to set up.

[–] [email protected] 1 points 7 months ago (2 children)

I‘m in the process of setting up a new NAS with Debian and disk encryption, and this is exactly what I’m struggling with. I’ve tried multiple guides for Dropbear but every time I try to SSH into the server to unlock it, I get “Permission denied”.

[–] [email protected] 3 points 7 months ago (1 children)

This answer here covers it quite nice imo.

https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot

Important is that you update your initramfs with the command after you edited the dropbear initramfs config and or you copied the key over.

For the client it is important to define 2 different known hosts files since the same host will have 2 different host keys, 1 when encrypted with dropbear, and 1 when operational with (usually) sshd.

Also you need to use root when you connect to your server to unlock it. No other user will work with the default setup.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

I was actually using my own user account instead of root, but now that you mention it… I’m not sure how that would even work so yeah that makes sense.

I did rebuild the initramfs after every change but did not manually copy the key file anywhere other than etc.

Will check out the link tomorrow. Thanks a lot for sharing!

Edit: tried again with root and it worked flawlessly :D

[–] [email protected] 1 points 7 months ago

I don't reboot my server that often. But I think I use a dedicated port and key for it. I don't use them anywhere else. Maybe the key has to be a specific format for Dropbear.