New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Dedicated Servers: Encrypt drives without KVM/IPMI access
That should be a good tutorial for users, which are owning a dedicated server and want to encrypt their hdds/ssds in their dedicated servers, without having a KVM/IPMI attached to it:
https://jkraemer.net/2018/04/fully-encrypted-headless-debian-stretch-setup
Archive link: https://archive.fo/xHJXw
Works great on hetzner and should also work at other providers, if you have access to a rescue system or can boot an rescue ISO.
Thanked by 1postcd
Comments
Nice guide.
But with a caveat: Availability. If the server reboots for whatever reason one has to ssh connect to enter the password to bring up the encrypted partition.
I'd suggest to have good server monitoring to always (say every 5 min) know whether it's up an running.
Sure, that's a downside - but for me, the additional layer of security is worth it. For example if one drive is dying and the company doesn't scrub the data the right way
And during that time an attacker can log your keystrokes and unlock the partition at his/her own digression.
Well, not everyone is a target of the NSA :P
Thanks for sharing!
Just another side note, if you care about security, check your script renewing your webserver's LetsEncrypt certificate (it expired 4 days ago).
Oh I didn't mean to be religious about it. My statement was purely practical.
Yes absolutely. But (a) that could be changed into a key based routine and in fact even enhance security a lot by bringing a challenge factor and a PH/KDF function like Argon2 into the game. And (b) the attack surface is rather small anyway and only quite resourceful opponents (like e.g. FBI) or your hoster's techies could get at those data.
But I concede that (a) would need substantial experience both in crypto and in programming as there is no such utility available afaik.
As protection against the low end 99% attackers a PROPERLY encrypted drive adds quite a bit of protection so the tutorial @drivex linked to might be quite useful for some.
Edit: Never mind I misread and it is included in that document already.
>
>
What you linked is pretty much the same as what was linked earlier. And rest assured that I did understand it.
The problem I addressed was NOT how to remotely enter the password for the encrypted partition without KVM/IPMI. The problem I addressed was about knowing when it's needed and being available to remotely enter the password.
I had adjusted my reply several minutes before you replied, however, it seems you rushed as qucikly to your response as I did to mine.
Maybe there is a lesson in there somewhere for the both of us about taking our time when replying.
Cheers!