Selfhosted

45470 readers

570 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Encrypting data on local servers? (feddit.org)

submitted 5 days ago by unskilled5117@feddit.org to c/selfhosted@lemmy.world

30 comments fedilink hide all child comments

I am looking for some recommendations on how to secure the data of my physical servers (against physical theft), that I am about to set up. I am new to selfhosting but have a few years of experience running Linux on a desktop.

My usecase is a simple debian(?) server at home with Paperless ngx and Tailscale for when I am away from home.

The question is how to encrypt the data while still being able to keep the server updated.

Coming from Desktop my first thought was to simply enable FDE on install. But that would mean supplying the password everytime the server needs to reboot for an update. Could someone provide some insights on how often updates to debian require a reboot?

My second thought was to use an encrypted data partition. That way the server could reboot and I could use wireguard to ssh in and open the partition even when I am away from home for a longer time.

I am open to other ideas!

you are viewing a single comment's thread
view the rest of the comments

[–] ladfrombrad@lemdro.id 2 points 1 day ago* (last edited 1 day ago) (1 children)

I like this, and I suppose it's a shame a Rasp Pi can't be WOL'ed.

But could another SFF single use/secured device on the same network that doesn't have FDE, also provide that key only if and when you wake it up (manually decrypt the file after ssh'ing into it too?) instead of having a USB drive directly plugged into the main server so, if a nefarious person does have away with the main bounty they're fugged without said second hidden device on the same network?

ninjaedit: I also at one point in the past did Wireless WOL (wireless NIC's with WOL were prohibitively expensive at the time of me playing) via a Travel router that was acting as an Access Point, simply to wake up forward the magic packet. You could really hide that thing 😇

[–] ryokimball@infosec.pub 2 points 6 hours ago (1 children)

I just bought some PoE hats for my rpis, and have a managed PoE switch; rumor is, this combo basically translates to rPi WoL.

(Not meaning to ignore the rest of your comment, but not in a position to respond fully)

[–] ladfrombrad@lemdro.id 1 points 2 hours ago

That would be neat.

Like someone else said in here maybe the OP could use a really long cable to a USB drive away from the main server, but I do like the idea of something using hybrid wire(less) to auth.

They could even have a UPS underneath a Pi Zero and, have a PoE HAT too + travel router. Plug in LTE USB with backup SIM card, epoxy all that together and then hide it?

lol, paranoia fixed.