Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Encrypted Linux drives and encrypted home directories?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Encrypted Linux drives and encrypted home directories?

k9banger02k9banger02 Member
in Help

How do these work after a system is rebooted?

Is it necessary to into the konsole and mount the drives?

Is it possible to mount them remotely?

Is it okay to make the boot partition different from the root partition, the log onto the boot partition and mount the root partition?

Any guides and howtos on the topic?

Comments

  • ZyraZyra Member
    edited September 2023

    I usually go for full disk encryption using Luks and I use dropbear-initramfs to unlock the drives if a reboot happened.

    Keep in mind that doing this on a vps isn't the most secure option, since the host could in theory dump your ram and see your private key, or so I have been told. Idk what your plan is but best of luck.

    Thanked by 1k9banger02
  • k9banger02k9banger02 Member

    @Zyra said:
    I usually go for full disk encryption using Luks and I use dropbear-initramfs to unlock the drives if a reboot happened.

    Keep in mind that doing this on a vps isn't the most secure option, since the host could in theory dump your ram and see your private key, or so I have been told. Idk what your plan is but best of luck.

    So I take it that it would be safe on a physical server, or virtual machines on the newer CPUs which provide secret keys at the hardware level.

    Any experience with this kind of newer CPUs?

  • StetsedStetsed Member

    So I don't run encryption on my servers currently, however I do run it on my desktop and as the previous one said I combine a form of FDE(ZFS native encryption for me) and then use dropbear to be able to unlock it over the internet.

    What your pobally reffering to is unlocking via the use of TPM which basically means the key gets stored on the TPM which then unpacks it for decryption. There are benefits to this as it means no user interaction but it means if they get full hold of the server they can unlock it.

    If you wanna go up the ass with it you could do BIOS password with secure boot enabled with your own keys that you hold for EFI signing, and then it's relatively easy as long as you keep the bios password safe as it won't boot anything not signed by your keys if you do it right the TPM will wipe itself if secure boot is ever disabled however up to you whether it's worth it.

    Thanked by 1k9banger02
Sign In or Register to comment.