This is an automated archive.

The original was posted on /r/homelab by /u/AlpineGuy on 2024-01-24 10:44:33+00:00.

I am currently running my homelab / family server on a small micro PC (NUC clone) running Debian. The file system is currently unencryped. I want to encrypt at least the files that contain personal information (e.g. the data that belongs to Nextcloud and other services).

(Currently I am using Nextcloud’s own server side encryption, which is deprecated and has the keys lying next to the data, so not very secure. I want to get rid of this layer of encryption.)

Threat model: Theft or loss of my server, physical access, etc. I understand that encryption-at-rest won’t save me from hackers who gain access while the machine is running.

Options I am considering to achieve this:

• Create a gocryptfs encrypted folder, put the data there.

  • Pros: Easy.
  • Cons: Have to unlock every time after reboot and somehow prevent docker from running before I unlock.

• Create a file system container, i.e. a single file containing a dm-crypt/luks encrypted ext4 file system

  • Pros: Easy, but less easy than the one above.
  • Cons: same as above

• Create a VM with full disk encryption on its volume, e.g. Ubuntu.

  • Pros: Lots of advantages come with running a VM: I can transfer it to a new computer at some point in time, turn it off for maintenance, take snapshots. Might even be more secure against attacks via the network, as it’s an additional layer of security (but if someone manages to get into my VPN and SSH, one more layer of SSH probably won’t stop them).
  • Cons: More work to set up. Don’t know if the micro PC can handle the load.

• Full disk encryption of the main system: I am hesitant to go for full disk encryption on the main system… I simply don’t know how to do it without reinstalling everything. Also, the machine is headless and I would need some way to log in to unlock it (but I heard there are ways to do this). Seems too difficult at this point.

Which option is best? Are there other, better ways?