I’ve done a little research but curious about first hand experience.
I’ve got a little home server that is full disk encrypted with LUKS (+LVM, of course). It’s headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.
If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.
Because lazy, I’d prefer to be able to enter the decrypt password remotely. “Dropbear” seems to be a common suggestion but I haven’t tried it yet.
So, asking for your experience or recommendations.
I’ll start. Recommendation #1 - get a UPS : D … But besides that.
Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a “auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password” jump point.
Same boat. I’m currently testing some unlock stuff out. I just got USB unlocks to work for Debian by following this: https://tqdev.com/2022-luks-with-usb-unlock
I load a USB with a keyfile, then read the keyfile during boot. If I don’t have the USB plugged in, I fallback to entering a passphrase. I have multiple LUKS encrypted disks and I don’t want to type out a long passphrase a bunch of times.
I briefly encountered dropbear during my research… but ended up following the USB path because it kinda seemed a little easier to setup. 🤷
Anyone have any thoughts on USB vs dropbear unlocks?
I’d imagine that if you have physical access and don’t mind plugging in a USB then that’s the easier route.
My personal goal is to be able to unlock it remotely in two main scenarios :
Both of those situations lean towards a remote unlock with no USB. The first one is absolutely doable because I have local access and could plug a device in, it’s just awkward. On the second, physical access is impossible so it must be done remotely.
I mentioned it in another comment but the remote unlock while away from home presents extra challenges for me because I access my server externally via Tailscale. Since Tailscale isn’t available at boot (pre-decrypt), then I’ll have to tailnet+ssh to another machine on the LAN (that doesn’t require a boot password/unlock) and then SSH from that machine to the server to enter the LUKS password to allow boot to continue. Sounds feasible, though perhaps a little clunky. That’s my current plan and hoping to try it out this weekend if time permits.
Ah, cool cool. Makes sense. Are you unlocking 1 disk or many disks with the dropbear setup?
Just one… For now :)
It’s a Lenovo Tiny refurb and came with a 1TB NVMe which is plenty for playing around but I’ll have to expand if I move my Jellyfin instance to it.