You must log in or register to comment.
Flash drive hidden under the carpet and connected via a USB extension, holding the decryption keys - threat model is a robber making off with the hard drives and gear, where the data just needs to be useless or inaccessible to others.
There’s a script in the initramfs which looks for the flash drive, and passes the decryption key on it to cryptsetup, which then kicks off the rest of the boot mounting the filesystems underneath the luks
I could technically remove the flash drive after boot as the system is on a UPS, but I like the ability to reboot remotely without too much hassle.
What I’d like to do in future would be to implement something more robust with a hardware device requiring 2FA. I’m not familiar with low level hardware security at all though, so the current setup will do fine for the time being!
Flash drive hidden under the carpet and connected via a USB extension, holding the decryption keys - threat model is a robber making off with the hard drives and gear, where the data just needs to be useless or inaccessible to others.
This is a pretty clever solution. Most thieves won’t follow a cable that for all intents looks like a network cable, especially if it disappears into a wall plate or something.
I don’t think most thieves care much about the data on the computer in the first place. Steal hardware, fresh install of Windows on it and straight to the pawn shop.
Initramfs listening with dropbear to prompt me for my passphrase. I can ssh in if I needed to reboot, or if it’s lost power for longer than my ups can keep it running.
Outside of the classic “type a password” or “have the keys locally”, Network Bound Disk Encryption (NBDE) is what the business world uses for this (but it’s not cheap and/or simple to self host). On one side you have commercial vendors who will sell you a solution, such as Vormetric, and on the other side you have the open source world trying to leverage open code.
Red Hat has a good article to read as an NBDE primer as it outlines the concepts as well as implementing their solution/method using open software: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/security_and_compliance/network-bound-disk-encryption-nbde
I’m not sure if this is helpful to you or not, because it’s not what you asked. I just don’t mount them on boot though.
I have a script that requires a unique password that decrypts everything that I actually care about. If that hasn’t been run, then the server starts emailing me every 15 minutes until I do.
The server is not setup to reboot unless I manually tell it to or there is a power outage, so logging in to run the script has never really been an issue. At most, I’ve had to SSH in from my phone maybe a handful of times.
The boring method, unlock boot drive with password, then the other drives with a keyfile referenced in crypttab
