this post was submitted on 16 Apr 2024
89 points (96.8% liked)

Selfhosted

40198 readers
690 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, ...in short, private stuff and I know that it's pretty difficult that a thief would steal my server, buuut, you never know! πŸ€·πŸ»β€β™‚οΈ

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 14 points 7 months ago (15 children)

Have you tried secure-erasing a disk?

Absolutely yes, I do enctypt my drives so I don't have to ever do that again. This isn't as critical for SSDs but it's still a good idea. Even if you keep the key stored on the same system, securely deleting a tiny file is way easier than a whole disk.

[–] [email protected] 2 points 7 months ago (14 children)

Have you tried secure-erasing a disk?

Once /dev/urandom is enough. Who cares if a state actor could theoretically recover your media library in an expensive lab.

[–] [email protected] 4 points 7 months ago (1 children)
[–] [email protected] 4 points 7 months ago (1 children)

And it has other benefits. For example a dying disk. You can just throw that out. I once tried to wipe such a disk and it's a chore. It makes weird clicking noises and slows down to the point where it'd take years to overwrite it. Occasionally the SATA controller resets etc. And it won't succeed at overwriting stuff. Sure I could go to the garage, get the power tools, put the hdd into a vise and delete everything with a combination of hammer and drill... But it's much more convenient to have it encrypted and not care.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (2 children)

You take the disk out, drill once through it (use a metal bit).

Done.

Takes a couple minutes.

[–] [email protected] 1 points 7 months ago (1 children)

Takes me about 2 seconds with a 5lb steel mallet.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Bold of you to assume sysadmins can wield a 5lb mallet. (I'm not completely sure what that is in real world weight, 2 Β½ kg?).

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

Sure. It's just effort. I have to go fetch the power tools, fetch the drills, if I want to do it correctly also mount a vise or go fetch a piece of scrap wood and some clamps... After that clean up and remove the metal chips from my apartment...

At work I'd additionally need 3 training courses to be allowed to operate the drill press and visit the workshop. The whole process is going to take half a year. And it'll still not be certified that the information is now gone.

[–] [email protected] 2 points 7 months ago (1 children)

In an enterprise setting, it's probably a bit of a hassle with everything having to follow some kind of process...

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

Somehow they don't trust the software developers with operating heavy machinery πŸ˜†

Anyways, I think we're moving away from the topic... At work I didn't encrypt harddisks anyways. They just put the servers into a special area in the datacenter that has a fence and a separate lock.

At home I just encrypt stuff so I don't have to remember what I put where and handle things differently. Of course everything depends on the specific scenario and threat model. I have a bit of stuff archived on my server that isn't around anymore, could be a copyright violation. I also have my complete life stored there, documents, finances, emails of a decade, pictures, backups for family members, passwords for emergency access to things. Admin stuff and logfiles that I'm required by law (GDPR..) not to share. I also used to travel a lot with my laptop in the backpack and that can get stolen. At some point a long time ago I decided to encrypt my harddisks and stop worrying. Since at least 10 years there isn't any speed penalty anymore and it takes like 20 seconds to set it up on Linux...

But I can also see why not everyone wants to do it this way.

[–] [email protected] 2 points 7 months ago (1 children)

I'm still in the planning stage of my home network (we're redoing the whole place so I'm doing a proper network) and TrueNas will be at the centre of it. So far, I'm not considering encryption (my laptops have /home encrypted though).

I'm not sure what the risk of a Disney raid on my server is. It could be a real thing, or not. It really depends on many things.

However, all in all, the lack of a proper solution for a quick server wipe beyond the usual thermite load, is problematic.

[–] [email protected] 1 points 7 months ago (1 children)

Why don't you consider encrypting your NAS, if I might ask? Inconvenience on boot? Because that's one inconvenience I currently live with... After a power outage I have to fetch a keyboard and type in the password, since the mainboard doesn't have remote-management and I've never set up an automatic way to transfer/fetch the encryption key...

[–] [email protected] 2 points 7 months ago (1 children)

ZFS is already a handful. I'm not sure if I want to add encryption on top of that.

[–] [email protected] 1 points 7 months ago (1 children)
[–] [email protected] 2 points 7 months ago (1 children)

In truth, I'm going to have to deal with a shitload of new stuff. I'm going with a Dell or Supermicro server (as in rackable server) with between 8 and 16 disks, so I'm also going to have to deal with new hardware (I suppose everyone kind of has to, since they're not running their usual software). And of course, I'm also doing HomeAssistant stuff on top of that, with all the Zigbee (or whatever other proper protocols I can stick on MTQQ) stuff, or else where would the fun be.

It's a good thing I've been managing Unix stuff for decades (not that it makes me feel any better about juggling a dozen new things at the same time).

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Oh wow. Seems you live somewhere where electricity is a bit more affordable. I have an super efficient enterprise mainboard with an old Xeon. I get by with the 6 SATA-Ports for home use. I mean now that we have 12TB drives... I bought lots of RAM an I'm running several VMs, containers, Home Assistant and all sorts of stuff on that machine.

Happy tinkering and learning?!

load more comments (12 replies)
load more comments (12 replies)