@[email protected] to [email protected] • edit-21 year agoHow safe are my data if my hard drive isn't encrypted?feddit.demessage-square33fedilinkarrow-up132arrow-down13file-text
arrow-up129arrow-down1external-linkHow safe are my data if my hard drive isn't encrypted?feddit.de@[email protected] to [email protected] • edit-21 year agomessage-square33fedilinkfile-text
minus-square@[email protected]OPlinkfedilink2•1 year agoThanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn’t possible for me, since I would need a monitor for my headless server.
minus-square@[email protected]linkfedilink4•1 year agoThat’s why it’s not always an option. Some servers have some kind remote console hardware, with their own security issues. Your “threat model” is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak? Maybe you need to encrypt a directory, and not the whole drive.
minus-square@[email protected]OPlinkfedilink2•1 year agoMy threat model isn’t high. Just normal stuff everyone has, but that would be disadvantagely if someone else got them. It’s more if a precautionary measure. It doesn’t have to be super safe, but better than nothing.
minus-square@[email protected]linkfedilink3•1 year agoYou can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
minus-square@wmassinghamlink2•1 year agoEither self-encrypting drives (if you trust the OEM encryption) or auto-unlock with keys in the TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
Thanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn’t possible for me, since I would need a monitor for my headless server.
That’s why it’s not always an option.
Some servers have some kind remote console hardware, with their own security issues.
Your “threat model” is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak?
Maybe you need to encrypt a directory, and not the whole drive.
My threat model isn’t high. Just normal stuff everyone has, but that would be disadvantagely if someone else got them.
It’s more if a precautionary measure. It doesn’t have to be super safe, but better than nothing.
You can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
Either self-encrypting drives (if you trust the OEM encryption) or auto-unlock with keys in the TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS