Check Mandos , if you are able to secure enough the server (inside a safe box?) then you are good
this post was submitted on 18 Jun 2025
28 points (96.7% liked)
Selfhosted
46672 readers
942 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I read somewhere someone had their encryption key on their phone / another server and had the server pull the key via ftp on boot. Then the server and encryption key is separated but can decrypt its self as long on the ftp server is available.
Edit - might have been unraid where the OS and data drivers are separate
I've configured something similar. The /boot partition is the only unencrypted. In the initramfs there is a script that downloads half of the decryption key from http, while the other half is stored in the script itself. The script implements automated retry until it can fetch the key and decrypt the root partition.
My attack model here is that, as soon as I realize someone stole my NAS I can shutdown the server hosting half of the decryption key making my data safe. There is a window where the attacker could connect it to a network and decrypt the data, but it is made more difficult by the static network configuration: they should have a default gateway with the same IP address of mine.
On my TODO list I also have to implement some sort of notification to get an alert when the decryption key is fetched from internet.
If it can power up and decrypt the docker volumes on its own without prompting you for a password in your basement, it will also power up and decrypt the docker volumes on its own without prompting the robbers for a password in their basement
Exactly, I don't get why people want (full disk) encryption, but with automounted keyfiles after reboot 😂
First reason I think of to use fde all the time even if it's automatically unlocked, is it's simple to securely delete everything all at once. Just delete all the keys or overwrite that section of the desk.
Second reason. It may run your vpn, with the server down you cannot connect to it and provide the decryption key unless you are connected to the same network.
There are some good answer around where the server can easily decrypt automatically as long as it is connected in your home but will likely fail at a thief's home. These are a much safer setup than keeping data unencrypted even if they are not bullet proof.
Depends on how you want to define "securely". A sufficiently motivated attacker could attack the remaining encrypted data, either through brute force or exploiting a weakness in the algorithm.
If you find an encrypted drive, it's extremely unlikely you can recover anything from it. If there is no LUKS header, it's pretty much impossible.
assuming I’m worried about a smash and grab
For your specific use case, how about this:
Get a cheap USB thumb drive and a long USB cable. Put your disk unlock password on that thumb drive, and semi-permanently affix the USB drive to your building. You said you're in a basement. Put it on top of a rafter with a metal fitting that would keep the drive from being taken without removing the screws. Run the long USB cable from the thumb driving in your rafter to the USB port on the machine. Alter your startup script to mount the thumb drive read the password from the thumb drive to unlock your main disk. Don't forget to immediately unmount the thumbdrive in the OS after the disk is unlocked for extra safety.
If someone is doing a smash and grab, they'll unplug all the cables (including this USB cable going to the thumb drive) and take your machine leaving the disk encryption password behind on the USB thumb drive.
This is a good idea. Use an cat5 USB extender for maximum range (100mt) and put the USB drive even further away.
Plus it just seems like a network cable. A bit of security obscurity.
TPM2+Tang+Clevis. You'll need to get really familiar with the TPM registers to properly set something up that will meet specific criteria, but you can make a pretty safe system with Tang that you can enable/disable remotely.
If you have TPM2 support on the motherboard it can be used to unlock LUKS encryption but has the following known vulnerability.
https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/
The issue I see with TPM is that it will always unlock the drive as long as it is connected to the same motherboard. It means you have to trust all the services you run to be correctly secured. Like there is little reason to encrypt your hard drive in this way if later you have a samba share open without any password.
https://www.golinuxcloud.com/network-bound-disk-encryption-tang-clevis/
something like clevis/tang might help but ultimately if someone has physical access to your box then they can potentially get it all anyways 🤷
Yes, you can have docker scripts decrypt a drive/storage. You might also consider an encrypted home partition separate from the root partition, or user space encryption of your home directory.