Richard Freeman wrote: > On 5/16/2025 12:59 PM, whiteman808 wrote: >> Hello, >> >> Are there any advantages from putting Linux on encrypted root at bare >> metal server if I often access remotely server from ssh, and >> sometimes need to reboot it? What about key supplied during unlocking >> server after reboot or manually power on? Giving remotely password >> doesn't seems safe to me. >> >> I want to protect against burglary and I'm not sure whether doing >> full disk encryption is a right way to go. Maybe should I just >> instead of trying to focus on the software side try to take more care >> of physical security? >> > Burglary is a difficult use case to protect against, because as you > point out you need to provide the key somehow at boot. There are > TPM-based approaches that are not well-supported on Linux distros > which try to ensure that the key is only readable if the disk is > booted normally, but you're still vulnerable to any physical access OS > vulnerability. > > I run servers with full disk encryption on SOME of my storage, but not > the OS drives. I store the key in a file on the OS drive. This > obviously provides no security against burglary, but the benefit is > that when a disk with sensitive data fails it is encrypted with a > strong key (no memorable passphrase). You need both the OS disk and > the encrypted disk to read anything sensitive, so I can just toss the > failed disk in the trash. This also allows unattended boot. > > Another approach you could consider is putting the key on another host > available over the network. Your initramfs/etc could use a credential > stored on it to access the remote host and retrieve the disk key. The > remote host could be a Pi hidden someplace non-obvious. Then if the > host is stolen and not kept powered on continuously (ie not a > sophisticated attacker) the disk won't be readable, but it would boot > just fine as long as it is attached to your LAN. > > There might be some other variations on a theme like that using some > sort of credential vault software. Approaches like that could also be > used to remotely disable the device if you can't access it - the > credential vault could be told to not provide the key any longer. > > In any case there are definitely use-cases for full disk encryption > that still add value even if it isn't as secure as having to remember > a LUKS key on boot. >
That is what I do. My OS is on plain file systems and can boot without me doing anything. Won't help if someone breaks into my house and steals the puter tho. My data is encrypted until I type in the password. I even have /home on a plain file system, so I can login to the GUI. OP: I've read, never did this tho, that some laptops require a password to even start booting. Some Linux users even have other things, like a init thingy, that requires a password to boot, likely to access root file system. Basically, everything is password protected. If someone steals the laptop, well, unless they can reset everything and reinstall a new OS, it's pretty worthless. The data is secure tho. You may want to look at how people set up their laptops to prevent theft and see if that would work in your case. Really, that's kinda what you want to accomplish even tho it is a desktop and not so easy to carry off. I've also read that some super secret gov't laptops have a lot of security built in. That may be something else you can look into if you really want to lock down a puter and your BIOS supports that sort of security level. Just a couple thoughts that may help. Dale :-) :-)
