3w ago

Encrypting without full disk encryption question

I use a headless server connected to nothing but an ethernet cable in my basement, and I'd prefer to allow the thing to boot by itself and start up without me needing to unlock the disk encryption every single time I do an update or power back on. Its a Dell 9500t NUC that I'm using it as a server and am wondering whether its possible to encrypt everything still.

I do generally use docker containers, so could I potentially encrypt just the containers themselves, assuming I'm worried about a smash and grab rather than someone keeping the machine powered up and reading my ram?

23 comments

If it can power up and decrypt the docker volumes on its own without prompting you for a password in your basement, it will also power up and decrypt the docker volumes on its own without prompting the robbers for a password in their basement
- Exactly, I don't get why people want (full disk) encryption, but with automounted keyfiles after reboot 😂
  
  First reason I think of to use fde all the time even if it's automatically unlocked, is it's simple to securely delete everything all at once. Just delete all the keys or overwrite that section of the desk.
assuming I’m worried about a smash and grab
For your specific use case, how about this:
Get a cheap USB thumb drive and a long USB cable. Put your disk unlock password on that thumb drive, and semi-permanently affix the USB drive to your building. You said you're in a basement. Put it on top of a rafter with a metal fitting that would keep the drive from being taken without removing the screws. Run the long USB cable from the thumb driving in your rafter to the USB port on the machine. Alter your startup script to mount the thumb drive read the password from the thumb drive to unlock your main disk. Don't forget to immediately unmount the thumbdrive in the OS after the disk is unlocked for extra safety.
If someone is doing a smash and grab, they'll unplug all the cables (including this USB cable going to the thumb drive) and take your machine leaving the disk encryption password behind on the USB thumb drive.
- This is a good idea. Use an cat5 USB extender for maximum range (100mt) and put the USB drive even further away.
  
  Plus it just seems like a network cable. A bit of security obscurity.
- This is similar to what I do.
  I have a USB drive with the whole bootloader + decryption keyfiles on it. I remove it while it is running as everything is stored in RAM and already booted.
  Downside being it has to be plugged in to update the boot partition during an upgrade.
I read somewhere someone had their encryption key on their phone / another server and had the server pull the key via ftp on boot. Then the server and encryption key is separated but can decrypt its self as long on the ftp server is available.
Edit - might have been unraid where the OS and data drivers are separate
- I've configured something similar. The /boot partition is the only unencrypted. In the initramfs there is a script that downloads half of the decryption key from http, while the other half is stored in the script itself. The script implements automated retry until it can fetch the key and decrypt the root partition.
  My attack model here is that, as soon as I realize someone stole my NAS I can shutdown the server hosting half of the decryption key making my data safe. There is a window where the attacker could connect it to a network and decrypt the data, but it is made more difficult by the static network configuration: they should have a default gateway with the same IP address of mine.
  On my TODO list I also have to implement some sort of notification to get an alert when the decryption key is fetched from internet.
  
  On my TODO list I also have to implement some sort of notification to get an alert when the decryption key is fetched from internet.
  Why is it fetchable by arbitrary IPs from the internet? I'd think you'd lock it down to an IP/only make it available locally.
Check Mandos , if you are able to secure enough the server (inside a safe box?) then you are good
If you have TPM2 support on the motherboard it can be used to unlock LUKS encryption but has the following known vulnerability.
https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/
- The issue I see with TPM is that it will always unlock the drive as long as it is connected to the same motherboard. It means you have to trust all the services you run to be correctly secured. Like there is little reason to encrypt your hard drive in this way if later you have a samba share open without any password.
https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition
https://www.golinuxcloud.com/network-bound-disk-encryption-tang-clevis/
something like clevis/tang might help but ultimately if someone has physical access to your box then they can potentially get it all anyways 🤷
surprised no one has mentioned dropbear yet. i don't remember the name off the top of my head, but there's a relatively easy way to setup your initramfs to listen for SSH connections, authenticate with a private key, and send the unlock key. bonus points for writing a script to do it automatically with cute names, e.g. "sendkey helium.intra" or whatever
Yes, you can have docker scripts decrypt a drive/storage. You might also consider an encrypted home partition separate from the root partition, or user space encryption of your home directory.

23 comments