I’ve done a little research but curious about first hand experience.
I’ve got a little home server that is full disk encrypted with LUKS (+LVM, of course). It’s headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.
If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.
Because lazy, I’d prefer to be able to enter the decrypt password remotely. “Dropbear” seems to be a common suggestion but I haven’t tried it yet.
So, asking for your experience or recommendations.
I’ll start. Recommendation #1 - get a UPS : D … But besides that.
Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a “auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password” jump point.
I use dropbear in initramfs on my Debian server. Works great.
At home I have a cheap networked KVM because I also sometimes have hardware problems preventing a boot. Works really well. Cost 100 € and uses open source software. It’s called GL.iNet KVM.
Good to hear. This will be going on a Debian server too.
I just set up tailscale on the RPi that controls my printer so I’ve got a jump host on the LAN now… Just need to make time to setup dropbear (and keys) on the server.
Yes it’s not too much bother to set this up, it can be put into ansible and once working I’ve not had to touch it again. Here’s another dracut tool using dropbear that works well and has decent instructions on setup: dracut-crypt-ssh
The crypt-ssh dracut module allows remote unlocking of systems with full disk encryption via ssh
I think this is the first time I’ve heard of dracut. I’ll take a look - thanks for the info.
Interesting, I want to try some of these solutions.
I set up luks on some of my selfhosted virtualbox instances to protect against physical theft, but power issues cause all too frequent restarts that are a serious pain to physically access.
An ssh call in a script that could be remotely used to unlock and complete the boot would be so handy.
On my Debian systems I use mandos to unlock LUKS during boot. All done over WireGuard which is loaded inside initramfs.
This is interesting, another one I hadn’t heard of yet. And, the server is running Debian : )
I enjoy the intro too :
You know how it is. You’ve heard of it happening. The Man comes and takes away your servers, your friends’ servers, the servers of everybody in the same hosting facility. The servers of their neighbors, and their neighbors’ friends. The servers of people who owe them money. And like that, they’re gone. And you doubt you’ll ever see them again. That is why your servers have encrypted root file systems
Cool! I might install something like this someday.
Do you use secure boot? What device is your server? I would use my laptop for that, but not sure if that’s how it should work.
asking out of curiousity: what benefits does encryption have here?
as long the server runs everything is decrypted right? so you are encrypting for the case when someone actively steals your hardware?
edit: stealing as in taking away. but this would mean accessing during runtime is nonetheless possible in a decrypted way?
In addition to drives being safer to replace and sell, encryption at rest should also protect against theft. So the scenario being someone taking the server or its drives. At least for me encrypting the drives gives a bit more peace of mind seeing as credentials for various accounts aren’t easily retrieved from the disks.
But yeah, this does not protect from data being read at runtime
Exactly this. The chances of my server/drives getting stolen is extremely low but I like to take all the precautions I can even if it’s just an exercise in “I can, so I will”. That and the “peace of mind” you mentioned.
luks will also prevent or uphold the encryption if e.g. the power is pulled?
+this means that if someone breaks in, cuts the cables during running decrypted the data is still safe?
Yes, exactly
noice thanks.
I’ve recently upgraded my hard drives used for storage. and because I ain’t made of money, I wanted to sell the old drives.
shredding those things took ages (4 TB drives). lesson learned, new drives are btrfs + LUKS that gets unlocked via key file. so when the time comes to sell those, I won’t bother with shredding, just sell them as is.you mean that even if the next user formats it you make sure that leftovers/artefacts cannot be read right?
no, I mean the drive is encrypted and I don’t gotta bother with shred.
yah thats what i meant.
in a way.
I do LUKS over https right now. The secret is to pass keyfile for decrypt as sh script that calls curl and echos the passkey back.
https://nowicki.io/self-hosting-lvm-raid1-with-key-over-ftp/
+2 for dropbear. I use it on a VPS and my media server.
If you run a system that uses dracut to manage its initramfs, then https://github.com/gsauthof/dracut-sshd might be of use to you.
I have it setup on a server running Fedora and can’t complain. When the system reboots and plymouth shows the LUKS password prompt a ssh server is started in the background as well - so I can unlock the server either using keyboard or connect via SSH. When rebuilding the initramfs (eg. for a new kernel version) the ssh server is installed and setup automatically so I don’t really have to worry about anything after the initial setup.
+1
This is my setup as well, having a headless Fedora server, being able to unlock over SSH makes things a breeze.
I’m currently using a VPS that is secured by a LUKS encrypted root that gets unlocked via dropbear on boot. Can confirm, it works.
Same boat. I’m currently testing some unlock stuff out. I just got USB unlocks to work for Debian by following this: https://tqdev.com/2022-luks-with-usb-unlock
I load a USB with a keyfile, then read the keyfile during boot. If I don’t have the USB plugged in, I fallback to entering a passphrase. I have multiple LUKS encrypted disks and I don’t want to type out a long passphrase a bunch of times.
I briefly encountered dropbear during my research… but ended up following the USB path because it kinda seemed a little easier to setup. 🤷
Anyone have any thoughts on USB vs dropbear unlocks?
I’d imagine that if you have physical access and don’t mind plugging in a USB then that’s the easier route.
My personal goal is to be able to unlock it remotely in two main scenarios :
- I’m lazy and don’t want to have to awkwardly fumble at plugging in something. So, SSH to it from the same room and unlock it from my desktop.
- Server got rebooted while I’m away from home but I would really like it to be up and running again for something I need but I don’t have physical access at the time.
Both of those situations lean towards a remote unlock with no USB. The first one is absolutely doable because I have local access and could plug a device in, it’s just awkward. On the second, physical access is impossible so it must be done remotely.
I mentioned it in another comment but the remote unlock while away from home presents extra challenges for me because I access my server externally via Tailscale. Since Tailscale isn’t available at boot (pre-decrypt), then I’ll have to tailnet+ssh to another machine on the LAN (that doesn’t require a boot password/unlock) and then SSH from that machine to the server to enter the LUKS password to allow boot to continue. Sounds feasible, though perhaps a little clunky. That’s my current plan and hoping to try it out this weekend if time permits.
Ah, cool cool. Makes sense. Are you unlocking 1 disk or many disks with the dropbear setup?
Why not just try the common dropbear solution?
O, I fully intend to. Just wanted to ask for opinions who have done it or have tried other things while I’m sitting here waiting for an appointment.
Plus content… Lemmy… Engagement. If nobody posts then there’s nothing here
Thanks for this post. I’ve been vaguely thinking about something like this for some time, this is finally the kick I needed to actually look into it!
🫡 Thank you for your service.
I’ve used dropbear in the past and it always feels a little janky, but it works well.
@clif Not a remote option but you can use a FIDO2 device (e.g. yubikey) as an LUKS key, then you would just need to plug it in and hit the button.
Any guides you’d recommend to try this out?
I wouldn’t recommend it due to complexity, but clevis is a thing. It permits a machine to automatically unlock on boot when various environment conditions are met.
Sounds like something fun to research either way - thanks
Clevis with TPM+Tang is the most secure you’re going to get as far as automated unlocking goes.
Dropbear is still a thing, but going to be more problematic.
If I’m reading the docs correctly, Clevis can rely on a separate Tang server for retrieving the decryption key, right? So in that scenario I’d need to have another machine for Tang that can also auto-boot without entering a boot/LUKS password. Otherwise, if both machines (server+clevis and Tang server) were in the same room and restarted due to power loss, neither would be able to boot if both were encrypted… or did I misunderstand something important?
And I don’t think I actually want “automatic” unlocking. I just want to be perform the unlock (enter LUKS password) remotely. I realize that comes with manual intervention (entering the password remotely) but I’m okay with that. I should probably have clarified that by “home server” I mean a machine the serves nice to have stuff, nothing mission critical. Plus I’m really the only one who uses it currently so I’ll notice it’s down when something doesn’t work and can then initiate the remote unlock/boot : D
Clevis is interesting but I don’t think it matches my specific situation. Glad I know about it now though, thanks for the info.
If you just want to remotely interact with LUKS to unlock it, I think dropbear-initramfs module is your only option.
Clevis+Tang is essentially the same thing but automatic, and yes it does require a separate machine and network access to that machine.
Great, thanks for checking my understanding of it.
+1 for Clevis. I’ve been using it on my laptop for a year and it works like a charm. Sometimes, you need to update bindings after kernel updates, but it’s overall quite smooth.
