Hi
On my server I have an unencrypted boot drive which decrypts an encrypted LUKS drive with my data on it.
I am aware that a skilled thief could access the encryption keys thatbare stored on the unencrypted boot drive and am looling for a chill and safe solution.
I know about dropbear to decrypt a luks boot drive and I was wondering about using proxmox and an encrypted VM.
What do you guys think are good ideas?
Thanks
By default, an enencrypted boot drive is not sufficient to be able to decrypt a LUKs drive. If you have to type in your password to start the computer/unlock LUKs then you should be good.
If you’ve setup a keyfile or TPM based decryption of LUKS, then your data is probably not safe (though a TPM based decryption could be if the OS is secure and secure boot is setup properly)
In this case, if you have another server then you could setup a mutual tang/clevis system where each device gets the keys it needs from the other server on the LAN. Both would be LUKs encrypted. So if one is online the other gets the required key from the online one while booting. But if both are offline then no keys are available and you have to type in a LUKS password to boot. Something like https://www.ogselfhosting.com/index.php/2023/12/25/tang-clevis-for-a-luks-encrypted-debian-server/ but what they do with multiple servers is probably overkill