New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yes, but since SYS servers don't have IPMI, you have to fetch a key in some other way, i.e. from some network resource.
SoYouAsk?
So OVH have IPMI for free as i see, so there it will be possible?
Your ability would be the limit.
Just use debian, thx.
Yes
scam
This topic comes up every once in a while.
@xrz should think about the threat model. Let us say that xrz has enabled full disk encryption. How does xrz plan to unlock it in a secure manner at startup?
I do it like that, that I debootstrap a new system (where I don't need IPMI), make my config with initramfs + dropbear/busybox and at boot I'll unlock via SSH
Good solution. Hopefully @xrz understands the details to implement it. It can be made to work on dedicated servers (e.g., SoYouStart) and KVM VPSs, but not on OpenVZ VPS.
What is the benefit of Full Disk Encryption such as LUKS if the server is constantly powered on? Your mitigating against somebody breaking in and stealing the server right?
I often wondered this, since the encryption keys are always in memory and somewhere where you can't see who's got physical access to the box.
Any encryption needs to be done off-box IMO on the machine that creates the data before being uploaded... I.e the server shouldn't know how to decrypt it.
The solution is file-level encryption, FDE is great if its a laptop, gonna be in shutdown state often.
Or, encrypted "volumes" and load them once you have booted, though again depending on the usage and reason for encryption, this could work in other ways.
good practice is to not have both the key(pass/keyfile) and the lock (ciphertext/encrypted file) in the same accessible location.