Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, …in short, private stuff and I know that it’s pretty difficult that a thief would steal my server, buuut, you never know! 🤷🏻♂️
Nope. This isn’t part of my threat model.
I don’t have sensitive data and stealing a drive would be inconvenient for a thief.
Yes of course, with dm-crypt (luks), very little as AES-NI is incredibly fast.
Do you insert the key/password manually every time (it’s a server, so not so many times, but could happen) you boot the server?
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
As mentioned in another comment I haven’t quite gotten it working but it should be possible to do this via SSH
No,
There is all the backup of all my family pictures in the drives.
If something happens to me I want to make due that they will have access to it.
Have you tried secure-erasing a disk?
Absolutely yes, I do enctypt my drives so I don’t have to ever do that again. This isn’t as critical for SSDs but it’s still a good idea. Even if you keep the key stored on the same system, securely deleting a tiny file is way easier than a whole disk.
Have you tried secure-erasing a disk?
Once /dev/urandom is enough. Who cares if a state actor could theoretically recover your media library in an expensive lab.
Even that takes a while.
And it has other benefits. For example a dying disk. You can just throw that out. I once tried to wipe such a disk and it’s a chore. It makes weird clicking noises and slows down to the point where it’d take years to overwrite it. Occasionally the SATA controller resets etc. And it won’t succeed at overwriting stuff. Sure I could go to the garage, get the power tools, put the hdd into a vise and delete everything with a combination of hammer and drill… But it’s much more convenient to have it encrypted and not care.
You take the disk out, drill once through it (use a metal bit).
Done.
Takes a couple minutes.
Takes me about 2 seconds with a 5lb steel mallet.
Bold of you to assume sysadmins can wield a 5lb mallet. (I’m not completely sure what that is in real world weight, 2 ½ kg?).
Sure. It’s just effort. I have to go fetch the power tools, fetch the drills, if I want to do it correctly also mount a vise or go fetch a piece of scrap wood and some clamps… After that clean up and remove the metal chips from my apartment…
At work I’d additionally need 3 training courses to be allowed to operate the drill press and visit the workshop. The whole process is going to take half a year. And it’ll still not be certified that the information is now gone.
In an enterprise setting, it’s probably a bit of a hassle with everything having to follow some kind of process…
Somehow they don’t trust the software developers with operating heavy machinery 😆
Anyways, I think we’re moving away from the topic… At work I didn’t encrypt harddisks anyways. They just put the servers into a special area in the datacenter that has a fence and a separate lock.
At home I just encrypt stuff so I don’t have to remember what I put where and handle things differently. Of course everything depends on the specific scenario and threat model. I have a bit of stuff archived on my server that isn’t around anymore, could be a copyright violation. I also have my complete life stored there, documents, finances, emails of a decade, pictures, backups for family members, passwords for emergency access to things. Admin stuff and logfiles that I’m required by law (GDPR…) not to share. I also used to travel a lot with my laptop in the backpack and that can get stolen. At some point a long time ago I decided to encrypt my harddisks and stop worrying. Since at least 10 years there isn’t any speed penalty anymore and it takes like 20 seconds to set it up on Linux…
But I can also see why not everyone wants to do it this way.
I keep my drives encrypted with a key currently hosted in my router hoping they wouldn’t steal that. I’m thinking of actually putting it to cloud so I can disable it remotely.
It was quite a ride to make everything work and I made a blog post explaining it so I remember what I did.
https://nowicki.io/self-hosting-lvm-raid1-with-key-over-ftp/
Interesting, thanks!
Always, if nothing else it makes “wiping” them securely easier.
I used to until I realized that I’ve got bigger threats to worry about.
And like someone else mentioned, if I have to do data recovery for some unknown reason I want to make sure the data’s not encrypted.
Why? If you store the key in your password manager shouldn’t be a problem to mount the drive on another PC, decrypt it and save data. Or am I missing something?
How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?
Isn’t that what a TPM could be used for?
deleted by creator
Files could be decrypted by the end user. The OS itself could remain unencrypted.
I remember this blog post (I cannot find right now) where the person split the decryption password in two: half stored on the server itself and half on a different http server. And there was an init script which downloaded the second half to decrypt the drive. There is a small window of time between when you realize that the server is stolen and when you take off the other half of the password where an attacker could decrypt your data. But if you want to protect from random thieves this should be safe enough as long as the two servers are in different locations and not likely to be stolen toghether.
TPM, but it’s a pain in the ass and breaks a lot. The new version of Ubuntu should handle it better, but if you’re not on Ubuntu, that won’t help you.
TPM solves a sigthly different threat model: if you dispose the hd or if someone takes it out from your computer it is fully encrypted and safe. But if someone steals your whole server it can start and decrypt the drive. So you have to trust you have good passwords and protection for each service you run. depending on what you want to protect for this is either great solution or sub optimal
How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?
The only time my Server goes down, is when i manually reboot it. So waiting a minute or two, to ssh into it and entering the passphrase is no inconvenience.
TPM is a good way, Mine is setup to have encryption of / via TPM with luks so it can boot no issues, then actual sensitive data like the /home/my user is encrypted using my password and the backup system + fileserver is standard luks with password.
This setup allows for unassisted boot up of main systems (such as SSH) which let’s you sign in to manually unlock more sensative drives.
I use full disk encryption for every server (and other computers).
Encrypting your data drives is a must for everyone imho. Encrypting the OS is a must for me🤷♂️
My PC weighs 80+ lbs, live 8km from town, surrounded by farm land and there are only 3,400 in town and I live 30 min from a city of 40,000 and 40 min from another city of 70,000 and my internet is 20/10 mbps
What’s your point?
FreeAin’t no one stealing my shit, even via internet to upload 40tb would take 1 year 5 days at max speed in actuality it would be 1 year 8 months… Fuck I miss my 1.5G fibre connection…
It’s a relatively low performance hit and it benefits me when having to replace a failing/old disk. I can just toss the drive without having to erase the data first, that is as long as the key is a secure length.
No. If someone gets to my server that’ll be the least of my worries.
In addition to “encryption at rest”, also consider that your devices might be exploited over the internet, so attackers may be able to access the decrypted state that way. To guard against that, you may wish to encrypt certain documents with an additional password, even if they are sitting on an encrypted file system.
Recall that within a month, the widely SSH was exploited and a backdoor added to every machine. I had upgraded to that SSH version. I didn’t run an SSH server on that box, but it goes to show that even those who take precautions can end up exploited!
That’s why I use most of the services via Wireguard (except Nextcloud that is behind Cloudflare and MQTTs that’s completely exposed)
Yes, all, no matter what data is, it’s not hard and doesn’t have any consequences, but protects from many inconvenient accidents
Yes.
I encrypt about everything. Laptop, server, backups, external hdds that are just for me. (Only thing I don’t encrypt is a VPS. It’s hosted on somebody else’s hardware and they’d be able to break the encryption anyways if they wanted.)
I just put LUKS on it before formatting a filesystem. For the OS I use the good old approach with LUKS and a LVM inside.
I mean if you don’t encrypt the backups, the encrytion of the system is kind of meaningless, isn’t it?
On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.
