this post was submitted on 16 Apr 2024
89 points (96.8% liked)

Selfhosted

40677 readers
495 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Fellow selfhoster, do you encrypt your drives where you put data to avoid privacy problems in case of theft? If yes, how? How much does that impact performances? I selfhost (amongst other services) NextCloud where I keep my pictures, medical staff, ...in short, private stuff and I know that it's pretty difficult that a thief would steal my server, buuut, you never know! πŸ€·πŸ»β€β™‚οΈ

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 8 months ago (2 children)

This shouldn't even be a question lol. Even if you aren't worried about theft, encryption has a nice bonus: you don't have to worry about secure erasing your drives when you want to get rid of them. I mean, sure it's not that big of a deal to wipe a drive, but sometimes you're unable to do so - for instance, the drive could fail and you may not be able to do the wipe. So you end up getting rid of the drive as-is, but an opportunist could get a hold of that drive and attempt to repair it and recover your data. Or maybe the drive fails, but it's still under warranty and you want to RMA it - with encryption on, you don't have to worry about some random accessing your data.

[–] [email protected] 29 points 8 months ago

If you're getting rid of a (rusty) drive and it leaves your hands with the cool magnets and shiny frisbees still inside, you're doing something wrong.

load more comments (1 replies)
[–] [email protected] 21 points 8 months ago (1 children)

Yes of course, with dm-crypt (luks), very little as AES-NI is incredibly fast.

[–] [email protected] 3 points 8 months ago (1 children)

Do you insert the key/password manually every time (it's a server, so not so many times, but could happen) you boot the server?

[–] [email protected] 3 points 8 months ago

https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/

As mentioned in another comment I haven’t quite gotten it working but it should be possible to do this via SSH

[–] [email protected] 20 points 8 months ago (1 children)

Nope. This isn't part of my threat model.

I don't have sensitive data and stealing a drive would be inconvenient for a thief.

[–] [email protected] 6 points 8 months ago (2 children)

You don't have sensitive data? Would you mind expanding on that a bit for me? Just curious how you like, live, and stuff.

[–] [email protected] 7 points 8 months ago

Plex data, pi hole, and home assistant don't contain anything meaningful. No credentials are stored in a form that can be reused.

The most sensitive is immich, which I'm more concerned about backups than I am someone might steal my nudes. Their online anyway.

Email is hosted off-site and I still have physical files for a lot of my documents. If someone stole hdds out of my server, they'd get a lot of Linux isos, pictures of cars, porn, tons of versioned software and games installers, etc.

Maybe my definition of sensitive is different than yours though.

[–] [email protected] 4 points 8 months ago (1 children)

I'm surprized as well, like I guess I would understand if it's a no log DNS server but, what else wouldn't have sensitive information.

load more comments (1 replies)
[–] [email protected] 17 points 8 months ago

No,

There is all the backup of all my family pictures in the drives.

If something happens to me I want to make due that they will have access to it.

[–] [email protected] 17 points 8 months ago (1 children)

I keep my drives encrypted with a key currently hosted in my router hoping they wouldn’t steal that. I’m thinking of actually putting it to cloud so I can disable it remotely.

It was quite a ride to make everything work and I made a blog post explaining it so I remember what I did.

https://nowicki.io/self-hosting-lvm-raid1-with-key-over-ftp/

load more comments (1 replies)
[–] [email protected] 15 points 8 months ago (9 children)

How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?

[–] [email protected] 14 points 8 months ago (1 children)

Isn't that what a TPM could be used for?

load more comments (1 replies)
[–] [email protected] 10 points 8 months ago (4 children)

I'm too lazy to look up the details. But you can have a small ssh server running as part of initrd. I think it's dropbear. I log into that and unlock the root drive from there.

Of course that necessitates an unencrypted /boot/.

Did it on Debian and it was relatively easy to set up.

load more comments (4 replies)
[–] [email protected] 3 points 8 months ago

Files could be decrypted by the end user. The OS itself could remain unencrypted.

[–] [email protected] 3 points 8 months ago

How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?

The only time my Server goes down, is when i manually reboot it. So waiting a minute or two, to ssh into it and entering the passphrase is no inconvenience.

load more comments (5 replies)
[–] [email protected] 14 points 8 months ago (15 children)

Have you tried secure-erasing a disk?

Absolutely yes, I do enctypt my drives so I don't have to ever do that again. This isn't as critical for SSDs but it's still a good idea. Even if you keep the key stored on the same system, securely deleting a tiny file is way easier than a whole disk.

load more comments (15 replies)
[–] [email protected] 13 points 8 months ago

Always, if nothing else it makes "wiping" them securely easier.

[–] [email protected] 13 points 8 months ago (6 children)

I used to until I realized that I’ve got bigger threats to worry about.

And like someone else mentioned, if I have to do data recovery for some unknown reason I want to make sure the data’s not encrypted.

load more comments (6 replies)
[–] [email protected] 12 points 8 months ago

It's a relatively low performance hit and it benefits me when having to replace a failing/old disk. I can just toss the drive without having to erase the data first, that is as long as the key is a secure length.

[–] [email protected] 12 points 8 months ago (1 children)

I use full disk encryption for every server (and other computers).

Encrypting your data drives is a must for everyone imho. Encrypting the OS is a must for meπŸ€·β€β™‚οΈ

[–] [email protected] 3 points 8 months ago (1 children)

My PC weighs 80+ lbs, live 8km from town, surrounded by farm land and there are only 3,400 in town and I live 30 min from a city of 40,000 and 40 min from another city of 70,000 and my internet is 20/10 mbps

[–] [email protected] 4 points 8 months ago (2 children)
[–] [email protected] 7 points 8 months ago

I think he is saying that his physical attack surface is very small since he is remote, so maybe he doesn't bother?

Either way, encrypting drives is simply always good if you ever resell the computer or upgrade drives.

[–] [email protected] 3 points 8 months ago

FreeAin't no one stealing my shit, even via internet to upload 40tb would take 1 year 5 days at max speed in actuality it would be 1 year 8 months.... Fuck I miss my 1.5G fibre connection....

[–] [email protected] 11 points 8 months ago (1 children)

I encrypt devices that are portable. If someone raids my house I have bigger fish to fry.

load more comments (1 replies)
[–] [email protected] 9 points 8 months ago

No. If someone gets to my server that’ll be the least of my worries.

[–] [email protected] 9 points 8 months ago

Yes.

My home server has dropbear-initramfs installed so that after reboot I can access the LUKS decryption prompt over SSH. The one LUKS partition contains a btrfs filesystem with both rootfs and home as subvolumes. For all the other drives attached to that system, I use ZFS native encryption with a dataset that decrypts with a keyfile from that rootfs and I have backups of an encrypted copy of that keyfile.

I don't think there's a substantial performance impact but I've never bothered benchmarking.

[–] [email protected] 8 points 8 months ago

On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.

[–] [email protected] 8 points 8 months ago (2 children)

In addition to "encryption at rest", also consider that your devices might be exploited over the internet, so attackers may be able to access the decrypted state that way. To guard against that, you may wish to encrypt certain documents with an additional password, even if they are sitting on an encrypted file system.

Recall that within a month, the widely SSH was exploited and a backdoor added to every machine. I had upgraded to that SSH version. I didn't run an SSH server on that box, but it goes to show that even those who take precautions can end up exploited!

[–] [email protected] 4 points 8 months ago (1 children)

The XZ vulnerability was stopped in its tracks and did not really affect the majority of systems.

I also have a hard time believing local file encryption can be that effective. All they need to do is capture your keystrokes.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 6 points 8 months ago* (last edited 8 months ago)

Yes.

I encrypt about everything. Laptop, server, backups, external hdds that are just for me. (Only thing I don't encrypt is a VPS. It's hosted on somebody else's hardware and they'd be able to break the encryption anyways if they wanted.)

I just put LUKS on it before formatting a filesystem. For the OS I use the good old approach with LUKS and a LVM inside.

I mean if you don't encrypt the backups, the encrytion of the system is kind of meaningless, isn't it?

[–] [email protected] 6 points 8 months ago (1 children)

No. I run my servers on low quality shit and I expect them to break any time. Never had to perform a data recovery but if I need, I'll thank myself I didn't encrypt my pics

load more comments (1 replies)
[–] [email protected] 6 points 8 months ago

Yes, all, no matter what data is, it's not hard and doesn't have any consequences, but protects from many inconvenient accidents

[–] [email protected] 5 points 8 months ago
[–] [email protected] 3 points 8 months ago* (last edited 8 months ago)

I did have LUKS and a USB flash drive with a key to be inserted on boot. It was definitely difficult and caused performance issues. It was particularly difficult to add/remove drives from the array. These days I only encrypt my off-site backups that sit at the office where my coworkers potentially have physical access.

There have been recent advancements in TPM so disk encryption is easier to maintain and doesn't affect performance. I'll need to investigate this one day. My server/NAS is a 4th-gen i5, so it may not support the functions I would need. Full disk encryption will land in Ubuntu soon. I'm hanging out for that.

[–] [email protected] 3 points 8 months ago (3 children)

I want to, but haven't found the time to make a strategy on how to move over the data. It would take a bunch of shuffling as all drives are in use. The next problem is decrypting at boot and securely storing the decryption key - if I choose to use a decryption key at all. Maybe it'll be a usb key that I have to plug into the server when starting it, or I have to setup decryption of the system over SSH, but that means automated restarts are... difficult.

Not sure how to tackle the problem yet...

load more comments (3 replies)
[–] [email protected] 3 points 8 months ago (1 children)

Yup and negligible. If I'm forced to contend with a windows environment bitlocker is utilized.

I also utilize a ram disk in a windows os. Imdisk in windows. I migrate temp files and logs into the ram disk. It saves on disk writes and increases privacy.

If pretty straightforward to encrypt if utilizing Linux right from install time.

As for my server I too utilize nextcloud. However, the nextcloud data is on a zfs dataset. This dataset is encrypted.

I did this by installing nextcloud from docker running within a proxmox container. That proxmox lxc container has the nextcloud dataset passed into it.

[–] [email protected] 3 points 8 months ago

I did this by installing nextcloud from docker running within a proxmox container. That proxmox lxc container has the nextcloud dataset passed into it.

That's almost what I'm doing (I'm using a VM in Proxmox where I install all my Docker containers). Right now I'm thinking about encrypt only the data volume (a NFS share from Proxmos host) since all the sensible data will be there.

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago) (1 children)

I have two WebDAV shares, one unencrypted and one encrypted. The unencrypted one is for things that need to be read by other services, like legally obtained movies and tv shows. The encrypted one is for porn, mostly (also stuff like tax documents, legal contracts, etc).

This is the server I use

https://hub.docker.com/r/sciactive/nephele

It’s really easy to set it up for encryption. Also, I wrote it. :)

[–] [email protected] 3 points 8 months ago (2 children)

Do you honestly encrypt your porn? Why? (Assuming it's legal)

[–] [email protected] 4 points 8 months ago (1 children)

How are you certain all your porn is legal?

load more comments (1 replies)
load more comments (1 replies)
load more comments
view more: next β€Ί