I made this post:
And got removed for:
I did ask the mods about why they think the post is off topic, but no reply so far. I do feel that there maybe some error or miscommunication; otherwise I am not sure how asking how others deal with operational matters is off topic for the selfhosting com.
So rule 3 in the second part asks to note how it relates to self-hosting.
I thought your post did exactly that, personally.
The only one who can answer this is the mod who removed it, as it seemed entirely on topic for the community.
kinda reads CLM to me. like maybe this mod doesn’t have the digital literacy required to moderate a selfhosting community
Yeah, I’m really not sure where their head was at on this. I’d have to lean CLM on this too.
To answer your question, security is always a tradeoff with convenience.
One way you could leverage LUKS while having it auto-reboot unattended would be auto-unlock the volume by using the TPM module.
That way if someone attempts to extract the server’s data by putting the drive in another system, the data will at least be encrypted at rest.
I wonder if its because LUKS encryption is not specifically related to self hosting in general, but more of a c/privacy thing? But I’m just having a guess. And I think your question is valid, because many self hosters will obviously be interested in how to do self-hosting in a privacy conscious way. I’d say CLM based on available info.
I rule Clueless Mod as well. To be fair, they’re usually doing a very good job in that community.
I’ve used a Dropbear SSH server in the initramfs for a while to unlock my server:
- https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition
- https://wiki.ubuntuusers.de/Verschlüsseltes_System_via_SSH_freischalten/ (German)
Other possibilities include using the TPM module, a USB flash drive with a keyfile on it… A KVM / remote management module which is part of server and enterprise hardware anyway…
The latter is probably the easiest and most reliable solution.
There’s good use-cases for encryption on servers. Especially if other people have physical access to the location. Or it’s at home and a robber could steal it. Or you’d need a kill-switch to just turn it off and the encryption at rest kicks in… You don’t need to overwrite harddisk several times on replacement, or whip out the power tools to drill holes in it once it’s e-waste. And I have a lot of personal data on my server. Emails, my phone and laptop sync to it so there’s all my private photos, scans of paperwork and half of my life stored on the NAS. So of course I’m going to protect that. And of course it’s related to selfhosting because we have all kinds of sensitive information stored on selfhosted servers.
I’m strongly considering the drop bear because it sounds cool.
