Guenther_Amanita@feddit.de to Linux@lemmy.ml · edit-21 year agoHow safe are my data if my hard drive isn't encrypted?feddit.deexternal-linkmessage-square33fedilinkarrow-up133arrow-down13file-text
arrow-up130arrow-down1external-linkHow safe are my data if my hard drive isn't encrypted?feddit.deGuenther_Amanita@feddit.de to Linux@lemmy.ml · edit-21 year agomessage-square33fedilinkfile-text
minus-squareGuenther_Amanita@feddit.deOPlinkfedilinkarrow-up2·1 year agoThanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn’t possible for me, since I would need a monitor for my headless server.
minus-squarevsis@feddit.cllinkfedilinkarrow-up5·1 year agoThat’s why it’s not always an option. Some servers have some kind remote console hardware, with their own security issues. Your “threat model” is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak? Maybe you need to encrypt a directory, and not the whole drive.
minus-squareGuenther_Amanita@feddit.deOPlinkfedilinkarrow-up2·1 year agoMy threat model isn’t high. Just normal stuff everyone has, but that would be disadvantagely if someone else got them. It’s more if a precautionary measure. It doesn’t have to be super safe, but better than nothing.
minus-squareIng0R@feddit.delinkfedilinkarrow-up4·1 year agoYou can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
minus-squarewmassingham@lemmy.worldlinkfedilinkarrow-up2·1 year agoEither self-encrypting drives (if you trust the OEM encryption) or auto-unlock with keys in the TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
Thanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn’t possible for me, since I would need a monitor for my headless server.
That’s why it’s not always an option.
Some servers have some kind remote console hardware, with their own security issues.
Your “threat model” is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak?
Maybe you need to encrypt a directory, and not the whole drive.
My threat model isn’t high. Just normal stuff everyone has, but that would be disadvantagely if someone else got them.
It’s more if a precautionary measure. It doesn’t have to be super safe, but better than nothing.
You can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
Either self-encrypting drives (if you trust the OEM encryption) or auto-unlock with keys in the TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS