this post was submitted on 30 Nov 2023
46 points (92.6% liked)

Selfhosted

39435 readers
6 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I feel super dumb right now.

I always thought, that all user data (/home/) are decently safe against physical access, as long as my user and root password is strong enough. If I just plug in the hard drive, nobody except the Super User has access to the data on it.

Well, the guys on the other community (Link) have shown me how wrong I've been.

All of my devices are securely encrypted. Well, all of them, except the most important one: my server, where all pictures, documents and other private stuff is stored.

Now, I'm afraid as hell that this will go wrong in the future. Imagine a vengeful ex girlfriend, a police raid, whatever.
It's just dumb from my side to secure everything except the one thing that would need it the most.

I've already done my homework, and encryption doesn't seem like a highly important topic in the selfhosting community, or on many servers else.
At least that's what I've got the feeling.

The most common argument I hear is "nobody will get physical access anyway, so I don't care".


Threat model and security measures

My threat model: not high. I don't do any illegal stuff and don't have any enemies. Still, I want everything at least somewhat secure.
If it only serves the purpose to annoy the intruder it's already enough.

The only thing that has online access is my Nextcloud (AIO from Docker), and that is already well secured against hacking attacks (password, 2FA, brute force protection, etc.).

It's also the only thing that is worth securing in my eyes.


Options for encryption

LUKS2 full disk

I would need to factory reset the whole server for that, which would be ... highly inconvenient for me. It took me quite a long time to get everything working, and I don't wanna loose my configuration.

Also, how should I access the device when I don't see anything? Is there a workaround or something when I want to reboot without a monitor and keyboard?

Only encrypt the home folder

Same problem as with FDE

Nextcloud server side encryption

That one isn't recommended from what I've read. It causes compatibility issues and an extreme hit on performance according to forums. Is this still correct?

Cryptomator (?)

Encrypting and decrypting with every up- and download sounds quite annoying. Wouldn't be my prefered method tbh.


What is your opinion on that topic? What would you recommend me?

Please remember, that I'm not that experienced as much, so please be patient with me 😬

all 29 comments
sorted by: hot top controversial new old
[–] [email protected] 33 points 1 year ago (3 children)

I would need to factory reset the whole server for that, which would be … highly inconvenient for me. It took me quite a long time to get everything working, and I don’t wanna loose my configuration.

This is your actual problem you need to solve. Reinstalling your server should be as convenient as installing a basic OS and running a configuration script. It needs to be reproducible and documented, not some mystery black box of subtle configurations you've forgotten about ages ago. A nice, idempotent configuration script is both convenient and a self-documenting system for tracking all the changes you've ever implemented on your server.

Once you can do that, adding whatever encryption you want is just a matter of finding the right sequence of commands, testing it (in another docker perhaps) and then running your configuration script to migrate your server into the desired state.

[–] [email protected] 7 points 1 year ago

I absolutely agree with this. If you cannot easily reproduce you configuration, all you are doing is pushing the problems down the line. Eventually, even simple things will get uncomfortable because it becomes uncomfortable to make. Better address the problem now while its still small

[–] onlinepersona 4 points 1 year ago (1 children)

I detect a NixOS shill πŸ˜›

Seriously though, if OP doesn't want to use another OS, I can recommend using Ansible.

[–] [email protected] 3 points 11 months ago (1 children)

Nah, I wanted to love NixOS, and granted it seems like a perfect fit for my recommendation, but a bunch of things about it rub me the wrong way. It's just not for me. I've always been most comfortable with Debian and that's what my setup script is designed for. Lots of apt.

[–] onlinepersona 1 points 11 months ago

Fair. NixOS isn't for everybody.

[–] Supermariofan67 12 points 1 year ago (1 children)

You can use cryptsetup-reencrypt to encrypt an existing disk in place with LUKS. Then you just have to modify the initramfs/bootloader/fstab to point to the new configuration. See https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypt_an_existing_unencrypted_file_system

[–] [email protected] 3 points 1 year ago

If that's not possible or desirable for whatever reason like not having other drives to backup the data to, there's some more options: if it's ext4 there's fscrypt which you can then just move the files to the encrypted folder, otherwise there's gocryptfs. In both cases you only need enough free space for a temporary copy of the biggest file.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

Encrypting your disk only provides at-rest protection, meaning there are entire swathes of physical attacks it provides zero protection against. Tons of stuff a malicious actor can do during runtime with physical access that you'd never notice. it quite literally only protects against thugs smashing your door in and physically walking away with the disk.

So if you've painted yourself into a corner with a baby's first config, what you can do to step up your level of data protection (until you can redo your setup properly) is creating an encrypted filesystem or filesystem image (use fallocate to create a large empty file, then connect it to a loopback device, encrypt with LUKS, and use it as a virtual filesystem), rsync your data directory to it, and then unlock/mount it at boot under the directory where Nextcloud is configured to store your data. It's god-awful, but this should be more or less transparent to Nextcloud if you do it right, and then at least your data directory gets at-rest encryption, and tbqh if someone is smash and grabbing your hard drive they are probably more interested in your data than they are your OS config.

I wouldn't say this is an acceptable or preferable alternative to FDE, but it sounds like you're still figuring out the best ways to set these things up, and this will get you more protection than none. But, realistically, you should probably not worry about it too much and should think about the security of your setup as a learning exercise/study in best practices.

[–] [email protected] 6 points 1 year ago

Full disk encryption. It wnt do anything if the server is powered on and they plug in a flash drive, but if it were to have the physical disks taken out or the server is powered down and moved.

Disable removable media. Might be able to do it in the bios, but I'd not, you should be able to in the OS.

Easiest one though is to lock the door to the room. Or to the rack if you have it in a rack.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

Luks full disk encryption and encrypted offsite backups. This protects from most common smash and grab scenario.

I had issues where system upgrades would loose encryption keys and full restore from backup was my only option. Nextcloud have issues with encryption, some features are not available if you enable it (don’t remember which ones now).

Generally speaking if someone has physical access to your system you’re screwed. There are many ways that physical access can be used to get access to your data including denying you access to your data.

[–] [email protected] 4 points 1 year ago (1 children)

I would need to factory reset the whole server for that, which would be … highly inconvenient for me. It took me quite a long time to get everything working, and I don’t wanna loose my configuration.

It sounds like your configuration is not sufficiently backed up.

Data you care about (that includes software configuration files) should be backed up at least three times on two different mediums with one copy being stored off-site (3-2-1 rule).

Also, how should I access the device when I don’t see anything? Is there a workaround or something when I want to reboot without a monitor and keyboard?

There are two ways that I have found for this:

  • Initrd SSH: Just run an sshd inside your initrd. After reboot, you connect from another machine and enter your decryption password through SSH.
  • TPM unlock & measured boot: You use a TPM to measure whether your bootloader, kernel, initrd are all valid and then the TPM releases the decryption key to the kernel; automatically unlocking LUKS.
[–] [email protected] 1 points 1 year ago (1 children)

It sounds like your configuration is not sufficiently backed up.

It is backed up. 1x per auto-backup (Borg, included in the AIO) and 2x on different external drives.
The setup isn't complicated too, basically barebones Debian with docker.

It's just that setting everything up (once) again is annoying and highly inconvenient.

But, thank you for your tips on the LUKS-stuff, I will consider it! πŸ™‚

[–] [email protected] 1 points 1 year ago

It’s just that setting everything up (once) again is annoying and highly inconvenient.

Why though? Have you ever tested your backup?

[–] [email protected] 4 points 1 year ago (1 children)

if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won't be able to auto unlock, and will require a password.

I should write that config up somewhere as a guide.

[–] [email protected] 1 points 1 year ago (1 children)

I would love to see how you've achieved that if you would. And thanks for the tip!

[–] [email protected] 2 points 1 year ago (1 children)

I had some spare time today, so I wrote it up on my website here

[–] [email protected] 2 points 11 months ago

Wow. Wonderful! Thanks a lot, it is clear and well written, and it's coming from someone having a fair share of technical writing done :) I'll try that in my spare time since it seems to fit a previous and long postponed security issue I have. Thanks again pal and take care :)

[–] [email protected] 3 points 1 year ago

Just put in another disk or create a new partition, encrypt it with LUKS, move your data there, mount it in the place where it was before. You'll have to SSH into the server and decrypt it after each reboot, but no pne will be able to plug in your disk or change boot parameters and just get in without the encryption password. It won't protect, however, against an attacker with frequent physical access who can manipulate the system and wait for you to type in the encryption password.

[–] [email protected] 0 points 1 year ago (2 children)

You best bet is not to use Nextcloud in the first place because it will eventually fuckup your data. Same goes for Cryptomator (just google it), it tends do lose files with long names or in folders with a large number of files. There are instances where the vault never opens again also.

A very important thing to consider is that whatever file backend you're using it should support inotify and fuse-based stuff doesn't support it. ecryptfs is a good option to encrypt the data, doesn't fail and it isn't fuse-based. It's old however and may not be supported by every system/kernel.

Why can't you just created a data partition and encrypt with LUKS? Not full disk, just your data partition? VeraCrypt is another option.

[–] [email protected] 4 points 1 year ago

I don't agree on hating on nextcloud, but moving that data to a luks partition could work.

[–] [email protected] 2 points 1 year ago (1 children)

I quite like your idea of just moving my data (not the other stuff) to another drive.

How can I decrypt my drive without a GUI, monitor or keyboard?

[–] [email protected] 1 points 1 year ago

SSH into the machine, type the password to unlock and start whatever services you need. If someone shuts it down they won't be able to get to the data then.

[–] [email protected] 0 points 1 year ago

I understand a complete server reset would be inconvenient.

I'm quite fond of veracrypt: It offers good encryption and is transparent when mounted.

You can create and mount a container file with veracrypt, copy your existing data in there and replace the original folders with appropriate symlinks. I think thats the best tradeoff for good protection and convenience