this post was submitted on 01 Apr 2025
84 points (98.8% liked)

Selfhosted

45419 readers
539 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
84
Encrypting data on local servers? (feddit.org)
submitted 2 days ago by unskilled5117@feddit.org to c/selfhosted@lemmy.world
26 comments fedilink hide all child comments
 

I am looking for some recommendations on how to secure the data of my physical servers (against physical theft), that I am about to set up. I am new to selfhosting but have a few years of experience running Linux on a desktop.

My usecase is a simple debian(?) server at home with Paperless ngx and Tailscale for when I am away from home. 

The question is how to encrypt the data while still being able to keep the server updated.

Coming from Desktop my first thought was to simply enable FDE on install. But that would mean supplying the password everytime the server needs to reboot for an update. Could someone provide some insights on how often updates to debian require a reboot? 

My second thought was to use an encrypted data partition. That way the server could reboot and I could use wireguard to ssh in and open the partition even when I am away from home for a longer time.

I am open to other ideas!

you are viewing a single comment's thread
view the rest of the comments
[–] samsapti@feddit.dk 1 points 2 days ago

I've been there, I used the "encrypted partition to be unlocked after boot via SSH"-option, but it quickly became tedious to have to input the password every time it rebooted. I wanted something that could recover by itself (I.e. start everything up again after a potential crash), so that I could maximize uptime and the investigate the crash later.

So I ended up disabling encryption. What I did instead was to find services with E2EE for my most sensitive stuff. Joplin for my personal notes is currently the only thing I have encrypted. Nextcloud has experimental E2EE, though I'm not really using it as of right now. Everything I deem too sensitive to trust my server with unencrypted, I store on encrypted flash drives.

I think the risk of the server itself being compromised/hacked is bigger than physical theft (at least in my case), and if you take some good precautionary measures, even that risk is pretty small unless you're being directly targeted by a skilled adversary. If the latter is the case, don't store sensitive stuff on something with an IP address.