On 5/16/2025 12:59 PM, whiteman808 wrote:
Hello,
Are there any advantages from putting Linux on encrypted root at bare metal
server if I often access remotely server from ssh, and sometimes need to reboot
it? What about key supplied during unlocking server after reboot or manually
power on? Giving remotely password doesn't seems safe to me.
I want to protect against burglary and I'm not sure whether doing full disk
encryption is a right way to go. Maybe should I just instead of trying to focus
on the software side try to take more care of physical security?
Burglary is a difficult use case to protect against, because as you
point out you need to provide the key somehow at boot. There are
TPM-based approaches that are not well-supported on Linux distros which
try to ensure that the key is only readable if the disk is booted
normally, but you're still vulnerable to any physical access OS
vulnerability.
I run servers with full disk encryption on SOME of my storage, but not
the OS drives. I store the key in a file on the OS drive. This obviously
provides no security against burglary, but the benefit is that when a
disk with sensitive data fails it is encrypted with a strong key (no
memorable passphrase). You need both the OS disk and the encrypted disk
to read anything sensitive, so I can just toss the failed disk in the
trash. This also allows unattended boot.
Another approach you could consider is putting the key on another host
available over the network. Your initramfs/etc could use a credential
stored on it to access the remote host and retrieve the disk key. The
remote host could be a Pi hidden someplace non-obvious. Then if the host
is stolen and not kept powered on continuously (ie not a sophisticated
attacker) the disk won't be readable, but it would boot just fine as
long as it is attached to your LAN.
There might be some other variations on a theme like that using some
sort of credential vault software. Approaches like that could also be
used to remotely disable the device if you can't access it - the
credential vault could be told to not provide the key any longer.
In any case there are definitely use-cases for full disk encryption that
still add value even if it isn't as secure as having to remember a LUKS
key on boot.
--
Rich
