Do you encrypt your data drives?

JoeKrogan , 2 months ago

On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.

Gooey0210 , 2 months ago

Yes, all, no matter what data is, it's not hard and doesn't have any consequences, but protects from many inconvenient accidents

tired_n_bored , 2 months ago

No. I run my servers on low quality shit and I expect them to break any time. Never had to perform a data recovery but if I need, I'll thank myself I didn't encrypt my pics

Kcg , 2 months ago

Power user move!

h3ndrik , 2 months ago (edited 2 months ago)

Yes.

I encrypt about everything. Laptop, server, backups, external hdds that are just for me. (Only thing I don't encrypt is a VPS. It's hosted on somebody else's hardware and they'd be able to break the encryption anyways if they wanted.)

I just put LUKS on it before formatting a filesystem. For the OS I use the good old approach with LUKS and a LVM inside.

I mean if you don't encrypt the backups, the encrytion of the system is kind of meaningless, isn't it?

Smash , 2 months ago

No

Kolanaki , 2 months ago

I don't do anything that warrants it, but if I did have sensitive data that I was worried about being stolen, those drives would be in a system completely cut off from the Internet to prevent remote theft, and encrypted in the event of a physical theft. If I was especially paranoid, I'd booby trap the drives to wipe themselves if they are tampered with.

onlinepersona , 2 months ago

I want to, but haven't found the time to make a strategy on how to move over the data. It would take a bunch of shuffling as all drives are in use. The next problem is decrypting at boot and securely storing the decryption key - if I choose to use a decryption key at all. Maybe it'll be a usb key that I have to plug into the server when starting it, or I have to setup decryption of the system over SSH, but that means automated restarts are... difficult.

Not sure how to tackle the problem yet...

rockstarmode , 2 months ago

I use separate disks for data storage and my OS. That way a headless system can boot and all the services like SSH can become available, and I can decrypt the data drives remotely.

When there's an unexpected reboot I can still get into my system and decrypt remotely which is nice. I can also move the data storage disks to another system without too much hassle.

I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted. An example of this might be torrenting software, I needed to make sure the temporary storage was on an encrypted volume. The software had a sane fault mode when the final storage location was unavailable, but freaked out for some reason when the temp storage was missing.

Once set up the whole thing is pretty easy to manage.

onlinepersona , 2 months ago

I did have to make sure some services were fault tolerant if an encrypted volume was unavailable when the OS booted

How did you achieve that? systemd dependency?

Anti Commercial-AI license

rockstarmode , 2 months ago

I'm pretty sure I didn't mess with systemd, though that would probably be the right way to handle it.

I was able to update a runtime config so if any storage wasn't available it just halted the service. Then I created a short script I'd invoke manually which decrypted the luks drives and brought the dependent services up. I also added monitoring to alert me when the drives weren't available for whatever reason.

pHr34kY , 2 months ago

I did have LUKS and a USB flash drive with a key to be inserted on boot. It was definitely difficult and caused performance issues. It was particularly difficult to add/remove drives from the array. These days I only encrypt my off-site backups that sit at the office where my coworkers potentially have physical access.

There have been recent advancements in TPM so disk encryption is easier to maintain and doesn't affect performance. I'll need to investigate this one day. My server/NAS is a 4th-gen i5, so it may not support the functions I would need. Full disk encryption will land in Ubuntu soon. I'm hanging out for that.

tills13 , 2 months ago

Anyone who says yes is either a professional in a field already requiring it (is aware of how to do it and what it means), retired (has unlimited time to tinker), or is Edward Snowden. For the average person, you don't need to encrypt your disks.

peregus OP , 2 months ago

Well, since I've discovered that with AES-NI it doesn't impact performances, I don't see why not do it.
I've had a look at a couple of guides and it doesn't seem to be so difficult

pyrosis , 2 months ago

Yup and negligible. If I'm forced to contend with a windows environment bitlocker is utilized.

I also utilize a ram disk in a windows os. Imdisk in windows. I migrate temp files and logs into the ram disk. It saves on disk writes and increases privacy.

If pretty straightforward to encrypt if utilizing Linux right from install time.

As for my server I too utilize nextcloud. However, the nextcloud data is on a zfs dataset. This dataset is encrypted.

I did this by installing nextcloud from docker running within a proxmox container. That proxmox lxc container has the nextcloud dataset passed into it.

peregus OP , 2 months ago

I did this by installing nextcloud from docker running within a proxmox container. That proxmox lxc container has the nextcloud dataset passed into it.

That's almost what I'm doing (I'm using a VM in Proxmox where I install all my Docker containers).
Right now I'm thinking about encrypt only the data volume (a NFS share from Proxmos host) since all the sensible data will be there.

hperrin , 2 months ago

I have two WebDAV shares, one unencrypted and one encrypted. The unencrypted one is for things that need to be read by other services, like legally obtained movies and tv shows. The encrypted one is for porn, mostly (also stuff like tax documents, legal contracts, etc).

This is the server I use

https://hub.docker.com/r/sciactive/nephele

It’s really easy to set it up for encryption. Also, I wrote it. :)

z00s , 2 months ago

Do you honestly encrypt your porn? Why? (Assuming it's legal)

markstos , 2 months ago

How are you certain all your porn is legal?

z00s , 2 months ago

I think we both understand the intention behind my statement

h3ndrik , 2 months ago

Good question. I don't have a clue either. It doesn't contain any personal information. (Unless it's self-made.) Usually isn't unique. And nobody cares as there's an abundance of porn available everywhere on the internet.

Unyieldingly , 2 months ago

on my NAS i do and work data as well.

Decronym Bot , 2 months ago (edited 2 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
LVM	(Linux) Logical Volume Manager for filesystem mapping
MQTT	Message Queue Telemetry Transport point-to-point networking
NAS	Network-Attached Storage
NFS	Network File System, a Unix-based file-sharing protocol known for performance and efficiency
Plex	Brand of media server package
SATA	Serial AT Attachment interface for mass storage
SSD	Solid State Drive mass storage
SSH	Secure Shell for remote terminal access
VPS	Virtual Private Server (opposed to shared hosting)
ZFS	Solaris/Linux filesystem focusing on data integrity
Zigbee	Wireless mesh network for low-power devices

---

12 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #686 for this sub, first seen 17th Apr 2024, 08:25]
[FAQ] [Full list] [Contact] [Source code]

StructureOfChaos , 2 months ago

Use Cryptomator to have your data safe from prying eyes.