Disk encryption

However, if we aim to give self-hosting sovereignty to non-techies, we need to make this straightforward and working out of the box, don’t you think?

Docs would be a good starting point indeed.

Hi,

Indeed, and as the devs are already overloaded with work, everyone is welcome to contribute to the documentation (including you :wink: ).

As for the automation of the server encryption, I don’t know. This would be awesome indeed. But that’s so complex to implement and there is so much corner case (e.g. depending of the hardware, you have different kernel versions)

The project https://internetcu.be/ (basically Yunohost + vpnclient + hotspot on Lime 1/2) was offering the possibility to do an installation with full disk encryption (you could unlock your Yunohost via a web page), but it’s no longer supported. The maintainers got some big issues with a major upgrade of the Linux sunxi kernel.

So some work has already been done in the past to achieve this (only for the lime 1 and 2), but it’s not sufficient to want it to happen, people have too give a considerable amount of time to implement this and most importantly to maintain it (or the lambda user could have a broken system that won’t even startup anymore).

I tried Full Disk Encryption before but the problem with this is power outages.

I would have to wait until I got home, to plug in my server to my TV via HDMI, and plug in a keyboard.

This is the major hurdle behind FDE for servers which probably don’t have a keyboard and screen attached.

Does anybody have a solution to that problem yet?

1 Like

I think (never tested this) that there is a way to put the encryption key on an usb stick.
But if the stick stay plugged in the computer, stealing the computer means tsealing your datas.

1 Like

There is no out-of-the-box solution yet.

There is some articles explaining how to set up Ubuntu to enable remote FDE unlocking via SSH (like this one). I don’t know if it works with Debian (probably), Armbian and/or Raspbian.

1 Like

A simple way to get a system with disk encryption, is to setup debian with disk encryption (you can choose lvm encryption in partition step). Next you turn into yunohost your debian via the install script.

It allow you to uncrypt your server with a simple keyboard, no need of screen, just type your passphrase 20s after booting.

If you want to give your passphrase via ssh or a webpage, it’s more complex.

1 Like

What about using stacked filesystem encryption? It would work regardless of the filesystem structure beneath it, it wouldn’t leave the system unbootable, and it would be able to leave yunohost in a “my services are stopped because I’m waiting for the admin to enter the unseal password” state.

1 Like

The way I do FDE on my server is I have a Raspberry Pi Zero connected to the server via USB. The Pi emulates a USB keyboard, so I can SSH into the Pi to enter my password into the server.

2 Likes

Whoa, that’s an interesting use for a Raspberry Pi Zero.

1 Like

You should use dropbear-initramfs. With cryptsetup to unlock the fullencrypted root system by ssh. But I was thinking on an initramfs tiny web server to create a small webpage and ask for the encryption passphrase via web. The problem was security.
I have a step by step to make it available on an odroid xu4 but each time I update the system I run I’m trouble.

PS my plan was more obscure as the end. I plan to put yunohost in a lxc VM. Which is hosted on a ceph volume. But I have no time for that. And more project abandon 32bits arch.

3 Likes

I didn’t know about initramfs-dropbear, thanks!

1 Like

I followed this guide : Ubuntu guide: Dropbear SSH server to unlock LUKS encrypted PC | Paolo Brocco Works

It works like a charm on Yunohost.

We could add this here : Security | Yunohost Documentation

1 Like

Hey Mamie ! What do you use for encrypting an external partition ? Btrfs, zfs, lvm ? Thanks !

As I am a noob, the 2 encrypted disks use different ways…
The internal disk is crypted via LVM, the external via Cryptsetup (and the backup disk is not, but borg crypt the data on it’s own)

Thanks !

Hi lvm is not an encryption tool but a logical volume manager. To simplify it is a software that do the same as hardware RAID. It concatenate or divide disks in virtuals disks.

Cryptsetup is the encryption tool.

2 Likes

Yes it new for me as well. I’ll try to crypt my external backup drive with LUKS.

1 Like

For those who might want to do the same, I used these tuto:

And the answer of this one to backup LUKS header Quelle est la résistance des volumes chiffrés VeraCrypt et LUKS contre la corruption des données?

2 Likes

Hi to you all!

I am doing some research on how to encrypt my YunoHost VPS, and I see many potential solutions here. Nevertheless, I am not good with complex technical practices.

As the original post mentions, it would be extremely useful if there was a unitary default opt-in solution for full disk encryption.

Do you know if anyone is working or has ever worked on that?

Thanks a lot!
Tommi

I am considering enabling LUKS disk encryption to my server, and I was wondering which of the methods above (or any others) people would recommend.

I currently sign in to my server using SSH and a password (not an SSH key), and in my partitions, my /home folder is contained within / (root), it doesn’t have a separate partition. It was a standard GUI installation; I didn’t modify the partitions.

The dropbear method (above) seems easy enough, but will I need to switch to using an SSH key to sign in, instead of a password? If not, then would this avoid having to follow ‘Stephen’s encrypted home directories’ instructions (linked in the dropbear instructions)?

Edit

I’ve learned the hard way that those instructions expect you to have disk encryption (LUKS) set up already. Do not attempt until this is in place!