On 5/16/25 11:59 AM, whiteman808 wrote:
Hello,
Hi,
Are there any advantages from putting Linux on encrypted root at bare
metal server ...
I think so.
But I've not yet done it myself. I've only used LUKS for a data file
system.
... if I often access remotely server from ssh, and sometimes need
to reboot it?
I don't think the method or frequency of access alters the advantages of
FDE.
What about key supplied during unlocking server after reboot or
manually power on? Giving remotely password doesn't seems safe to me.
I think this is where an OoB console access to provide the key, or
initial RAM disk based SSH server can come into play.
I've actually had FDE provide /faster/ access to data than unencrypted
for weird reasons related to caching.
There's also, destroy the key and the drive is cryptographically
sanitized and available for re-use without concern.
I added a key to the FDE on my work notebook a couple of jobs ago and
had that key stored in a 4 MB partition (smallest I could make) on a
flash drive. (Raw partition, not file.) So when I booted my computer
in the dock, the key could be found and automatically unlock the FDE.
If I booted not connected to the dock, I had to enter my FDE password.
I want to protect against burglary and I'm not sure whether doing full
disk encryption is a right way to go. Maybe should I just instead
of trying to focus on the software side try to take more care of
physical security?
Are you worried about disk theft or system theft?
The former is easier to protect against than the latter.
Take a look at a solution that Red Hat supports. I'm sure Gentoo can be
made to support it:
Clevis (client) and the Tang server
It's meant to be a way for servers to unlock FDE. I don't remember the
particulars at the moment.
--
Grant. . . .