Hi

On my server I have an unencrypted boot drive which decrypts an encrypted LUKS drive with my data on it.

I am aware that a skilled thief could access the encryption keys thatbare stored on the unencrypted boot drive and am looling for a chill and safe solution.

I know about dropbear to decrypt a luks boot drive and I was wondering about using proxmox and an encrypted VM.

What do you guys think are good ideas?

Thanks

  • nomad@infosec.pubEnglish
    0·
    6 days ago

    Funnily enough I have written a system to do exactly that as a bachelor’s theses for IT security.

    Places client certificates and a client inside the initrd and requests securely the key to unlock.

    The sever waits for you to approve the request before providing the key. The key is only held in memory during boot.

    I had a version that included for a hidden key provider and planned for a version that included time based auto unlocks etc.

    I was planning to package that and release it as open source.

    Still might do that.

  • i_am_not_a_robot@discuss.tchncs.deEnglish
    0·
    6 days ago

    Tang and Clevis have already been mentioned as a way for one server to boot using another server.

    You can also create an environment where the server boots into a phase 1 where it obtains network connectivity and then waits for you to provide it the key to continue booting. The first phase is unencrypted, so don’t put sensitive data in there.

    • i_am_not_a_robot@discuss.tchncs.deEnglish
      0·
      6 days ago

      A less intrusive solution would be to just put your sensitive data in LUKS and configure services that use that data to depend on the partition being mounted. That doesn’t require modifying the normal system startup process. You’re less likely to mess up your startup process at the expense of needing to be more mindful about where you’re putting your files.

  • Max@lemmy.worldEnglish
    0·
    6 days ago

    By default, an enencrypted boot drive is not sufficient to be able to decrypt a LUKs drive. If you have to type in your password to start the computer/unlock LUKs then you should be good.

    If you’ve setup a keyfile or TPM based decryption of LUKS, then your data is probably not safe (though a TPM based decryption could be if the OS is secure and secure boot is setup properly)

    In this case, if you have another server then you could setup a mutual tang/clevis system where each device gets the keys it needs from the other server on the LAN. Both would be LUKs encrypted. So if one is online the other gets the required key from the online one while booting. But if both are offline then no keys are available and you have to type in a LUKS password to boot. Something like https://www.ogselfhosting.com/index.php/2023/12/25/tang-clevis-for-a-luks-encrypted-debian-server/ but what they do with multiple servers is probably overkill

  • Neverclear@lemmy.dbzer0.comEnglish
    0·
    6 days ago

    iPXE maybe? But there’s a lot of implementation details you would have to figure out. Two that come to mind are:

    1. A mobile device from which you can selectively provide an image for booting

    2. A physical intrusion detection system for your home machine that you can also read remotely