this post was submitted on 07 Dec 2023
45 points (100.0% liked)

Selfhosted

40083 readers
780 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I'm never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.

I was searching this week a solution to do it remotely and found the "poor-guy-kvm" solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.

Am I missing something ? Am I trying something impossible ?

(I could've asked on freebsd forum but... Have to suscribe, presentation, etc... Long journey)

you are viewing a single comment's thread
view the rest of the comments
[–] jellyfish@sh.itjust.works 4 points 11 months ago (1 children)

You gave some options

  • TPM 2 based disk encryption. This is basically what bitlocker does, but it isn't great. It uses an encryption key stored on your TPM chip, that shouldn't ever be accessible to be exported. This means the disk should only be decryptable in the machine it's in. That in conjunction with secure boot can give you some guarantees that the only way to access data is through the the computer itself (no pulling the disk first). The issue is there are many potential vulnerabilities that could subvert this, logoFAIL being the most recent.

  • You could setup a proper KVM. The two gotos are PiKVM and TinyPilot. Jeff Geerling did a good video on these. It'll cost a few 100 bucks but can definitely be worth it. You might consider a motherboard with a builtin KVM in your next build too.

  • Setup NBDE (Network Bound Disk Encryption). This is pretty new, but what I'm planning to move to. Redhat has an implementation with Tang & Clevis (server and clients). You might be able to eventually use Clevis with other alternative backend too.

[–] Jean_Mich_Much@jlai.lu 1 points 11 months ago

Thanks for your answer ! Someone already mention TPM, I will check about that when I will have free time. Already try pikvm and tinypilot with no success unfortunately.. Didn't know NBSDE, will take a look too !