I feel super dumb right now.
I always thought, that all user data (/home/) are decently safe against physical access, as long as my user and root password is strong enough. If I just plug in the hard drive, nobody except the Super User has access to the data on it.
Well, the guys on the other community (Link) have shown me how wrong I’ve been.
All of my devices are securely encrypted. Well, all of them, except the most important one: my server, where all pictures, documents and other private stuff is stored.
Now, I’m afraid as hell that this will go wrong in the future.
Imagine a vengeful ex girlfriend, a police raid, whatever.
It’s just dumb from my side to secure everything except the one thing that would need it the most.
I’ve already done my homework, and encryption doesn’t seem like a highly important topic in the selfhosting community, or on many servers else.
At least that’s what I’ve got the feeling.
The most common argument I hear is “nobody will get physical access anyway, so I don’t care”.
Threat model and security measures
My threat model: not high. I don’t do any illegal stuff and don’t have any enemies. Still, I want everything at least somewhat secure.
If it only serves the purpose to annoy the intruder it’s already enough.
The only thing that has online access is my Nextcloud (AIO from Docker), and that is already well secured against hacking attacks (password, 2FA, brute force protection, etc.).
It’s also the only thing that is worth securing in my eyes.
Options for encryption
LUKS2 full disk
I would need to factory reset the whole server for that, which would be … highly inconvenient for me. It took me quite a long time to get everything working, and I don’t wanna loose my configuration.
Also, how should I access the device when I don’t see anything? Is there a workaround or something when I want to reboot without a monitor and keyboard?
Only encrypt the home folder
Same problem as with FDE
Nextcloud server side encryption
That one isn’t recommended from what I’ve read. It causes compatibility issues and an extreme hit on performance according to forums. Is this still correct?
Cryptomator (?)
Encrypting and decrypting with every up- and download sounds quite annoying. Wouldn’t be my prefered method tbh.
What is your opinion on that topic? What would you recommend me?
Please remember, that I’m not that experienced as much, so please be patient with me 😬
I understand a complete server reset would be inconvenient.
I’m quite fond of veracrypt: It offers good encryption and is transparent when mounted.
You can create and mount a container file with veracrypt, copy your existing data in there and replace the original folders with appropriate symlinks. I think thats the best tradeoff for good protection and convenience
You best bet is not to use Nextcloud in the first place because it will eventually fuckup your data. Same goes for Cryptomator (just google it), it tends do lose files with long names or in folders with a large number of files. There are instances where the vault never opens again also.
A very important thing to consider is that whatever file backend you’re using it should support inotify and fuse-based stuff doesn’t support it. ecryptfs is a good option to encrypt the data, doesn’t fail and it isn’t fuse-based. It’s old however and may not be supported by every system/kernel.
Why can’t you just created a data partition and encrypt with LUKS? Not full disk, just your data partition? VeraCrypt is another option.
I quite like your idea of just moving my data (not the other stuff) to another drive.
How can I decrypt my drive without a GUI, monitor or keyboard?
I don’t agree on hating on nextcloud, but moving that data to a luks partition could work.
I would need to factory reset the whole server for that, which would be … highly inconvenient for me. It took me quite a long time to get everything working, and I don’t wanna loose my configuration.
It sounds like your configuration is not sufficiently backed up.
Data you care about (that includes software configuration files) should be backed up at least three times on two different mediums with one copy being stored off-site (3-2-1 rule).
Also, how should I access the device when I don’t see anything? Is there a workaround or something when I want to reboot without a monitor and keyboard?
There are two ways that I have found for this:
- Initrd SSH: Just run an sshd inside your initrd. After reboot, you connect from another machine and enter your decryption password through SSH.
- TPM unlock & measured boot: You use a TPM to measure whether your bootloader, kernel, initrd are all valid and then the TPM releases the decryption key to the kernel; automatically unlocking LUKS.
It sounds like your configuration is not sufficiently backed up.
It is backed up. 1x per auto-backup (Borg, included in the AIO) and 2x on different external drives.
The setup isn’t complicated too, basically barebones Debian with docker.It’s just that setting everything up (once) again is annoying and highly inconvenient.
But, thank you for your tips on the LUKS-stuff, I will consider it! 🙂
I would need to factory reset the whole server for that, which would be … highly inconvenient for me. It took me quite a long time to get everything working, and I don’t wanna loose my configuration.
This is your actual problem you need to solve. Reinstalling your server should be as convenient as installing a basic OS and running a configuration script. It needs to be reproducible and documented, not some mystery black box of subtle configurations you’ve forgotten about ages ago. A nice, idempotent configuration script is both convenient and a self-documenting system for tracking all the changes you’ve ever implemented on your server.
Once you can do that, adding whatever encryption you want is just a matter of finding the right sequence of commands, testing it (in another docker perhaps) and then running your configuration script to migrate your server into the desired state.
Any chance you can share some examples of the kinds of configuration script you’re thinking of, and best practices for creating one in the first place / maintaining it as you make changes to your system?
I would say there are better methods to solve this problem these days than a script. Check out Ansible or NixOS.
