Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, …in short, private stuff and I know that it’s pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻‍♂️

  • @rockstarmode
    link
    English
    18 months ago

    I use separate disks for data storage and my OS. That way a headless system can boot and all the services like SSH can become available, and I can decrypt the data drives remotely.

    When there’s an unexpected reboot I can still get into my system and decrypt remotely which is nice. I can also move the data storage disks to another system without too much hassle.

    I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted. An example of this might be torrenting software, I needed to make sure the temporary storage was on an encrypted volume. The software had a sane fault mode when the final storage location was unavailable, but freaked out for some reason when the temp storage was missing.

    Once set up the whole thing is pretty easy to manage.

      • @rockstarmode
        link
        English
        2
        edit-2
        8 months ago

        I’m pretty sure I didn’t mess with systemd, though that would probably be the right way to handle it.

        I was able to update a runtime config so if any storage wasn’t available it just halted the service. Then I created a short script I’d invoke manually which decrypted the luks drives and brought the dependent services up. I also added monitoring to alert me when the drives weren’t available for whatever reason.