Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, …in short, private stuff and I know that it’s pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻‍♂️

  • @[email protected]
    link
    fedilink
    English
    38 months ago

    I want to, but haven’t found the time to make a strategy on how to move over the data. It would take a bunch of shuffling as all drives are in use. The next problem is decrypting at boot and securely storing the decryption key - if I choose to use a decryption key at all. Maybe it’ll be a usb key that I have to plug into the server when starting it, or I have to setup decryption of the system over SSH, but that means automated restarts are… difficult.

    Not sure how to tackle the problem yet…

    • @rockstarmode
      link
      English
      18 months ago

      I use separate disks for data storage and my OS. That way a headless system can boot and all the services like SSH can become available, and I can decrypt the data drives remotely.

      When there’s an unexpected reboot I can still get into my system and decrypt remotely which is nice. I can also move the data storage disks to another system without too much hassle.

      I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted. An example of this might be torrenting software, I needed to make sure the temporary storage was on an encrypted volume. The software had a sane fault mode when the final storage location was unavailable, but freaked out for some reason when the temp storage was missing.

      Once set up the whole thing is pretty easy to manage.

        • @rockstarmode
          link
          English
          2
          edit-2
          8 months ago

          I’m pretty sure I didn’t mess with systemd, though that would probably be the right way to handle it.

          I was able to update a runtime config so if any storage wasn’t available it just halted the service. Then I created a short script I’d invoke manually which decrypted the luks drives and brought the dependent services up. I also added monitoring to alert me when the drives weren’t available for whatever reason.