[14:59:22]
<Anmol> I have reinstall the Yuno and will restore my backup on it. So now I want to encrypt my full disk with luks. My problem is sometimes there is a power outage( I have power backup, but once a while my backup gets overloaded and server may shutdown, it happens). And for that situations I need some way that my encrypted disk auto decrypt itself. Do we some guide giving steps for using a pendrive or fido key to do that automatically? Till date I have not even setup tpm on my laptops even. I still use the old password method, but server I will need that as I would not be available always to enter in password. This all pen drive and fido keys are new to me.
[15:00:49]
<Salamandar> i want to do the same thing actually… I don't have the time to handle that
[15:00:49]
<Salamandar> > <@anmol:im.anmol.net.in> I have reinstall the Yuno and will restore my backup on it. So now I want to encrypt my full disk with luks. My problem is sometimes there is a power outage( I have power backup, but once a while my backup gets overloaded and server may shutdown, it happens). And for that situations I need some way that my encrypted disk auto decrypt itself. Do we some guide giving steps for using a pendrive or fido key to do that automatically? Till date I have not even setup tpm on my laptops even. I still use the old password method, but server I will need that as I would not be available always to enter in password. This all pen drive and fido keys are new to me.
ah yeah… that's a classic issue
[15:01:07]
<Salamandar> https://security.stackexchange.com/questions/161974/unattended-disk-encryption
[15:01:11]
<selfhoster1312> there are many ways to do that
[15:01:30]
<Salamandar> tl;dr either manually connect to the initramfs via ssh to decrypt, or use an automatic tool that decrypts at boot
[15:01:44]
<selfhoster1312> but with USB key i have no idea
[15:02:50]
<selfhoster1312> Anmol, it's a classic sysadmin problem which concerns the base Debian system yunohost uses
[15:03:04]
<selfhoster1312> there's nothing Yunohost-specific about this so all answers you find for Debian should be ok :)
[15:04:23]
<Anmol> > <@Salamandar:matrix.org> https://security.stackexchange.com/questions/161974/unattended-disk-encryption
That is nice I have read lot of them. But never able to do that on my laptop. So I am little scared to do them on server. If there is an thread on Yuno forum it would be good to have.
[15:04:48]
<Salamandar> > <@anmol:im.anmol.net.in> That is nice I have read lot of them. But never able to do that on my laptop. So I am little scared to do them on server. If there is an thread on Yuno forum it would be good to have.
hmmm no i'm not sure there is :(
[15:04:57]
<Anmol> > <@Salamandar:matrix.org> tl;dr either manually connect to the initramfs via ssh to decrypt, or use an automatic tool that decrypts at boot
But what if I am away from home, will it work then as well?
[15:05:40]
<selfhoster1312> what is your threat model? if it should decrypt without *you* why encrypt at all?
[15:05:41]
<Anmol> > <selfhoster1312> there are many ways to do that
selfhoster1312: What do you do encrypt the disk?
[15:07:21]
<Salamandar> (whitelist the IP of the server, refuse to provide the key if the server was down for more than X minutes, etc)
[15:07:47]
<Salamandar> mandos and clevis use a remote server that provides the decryption key if heuristics decide that the server is "still safe"
[15:09:22]
<selfhoster1312> Anmol, it depends... on servers that don't have secret data i don't do encryption
[15:10:13]
<Anmol> > <selfhoster1312> what is your threat model? if it should decrypt without *you* why encrypt at all?
Mostly my server would be safe. But I somehow feel safe to encrypt it, because data is always in encrypt from, so maybe in future the dead hdd can say many things.
[15:11:05]
<selfhoster1312> well if it's personal secrets then mandos is a good compromise i think
[15:11:14]
<Anmol> > <@Salamandar:matrix.org> mandos and clevis use a remote server that provides the decryption key if heuristics decide that the server is "still safe"
That are good choices. I might try them on my old laptop and see if it works.