Will's avatar

⬅️ See more posts

A question about encryption for self-hosting

5 March 2023 (3 minute read)

🏷️ technology 🏷️ selfhost

An AI generated image of someone stealing a server.

I self-host a number of services - Nextcloud, FreshRSS, PhotoPrism etc. - at home on a Raspberry Pi. Attached to this Pi is a large SSD to hold the service data and configuration, and all of this is periodically backed-up via Restic to a remote site.

The SSD is simply formatted with ext4, and the directory containing all of these services and data is currently encrypted using fscrypt. I (mainly) want to encrypt the data in order to protect against the case of break in and theft in my house, however likely or unlikely that is to occur.

However, the downside of this mechanism is that each time the power drops in the house (a fairly frequent event these days with constant building work going on), the directory is unable to auto-decrypt and so the services do not launch properly until I manually unlock the directory using a passkey.

Whilst this works fine, the approach feels a bit clunky. I wondered if anyone had any alternative solutions to managing this. I’m certainly not an expert in encryption mechanisms, but below I outline three approaches I’ve wondered about.

Option 1: fscrypt PAM decryption

I notice from the documentation that directories can be automatically unlocked at login-time through PAM. Is there a secure way to auto-login a user after boot (and drive-mounting) such that the directory is ready by the time the Docker daemon restarts the service containers?

Option 2: Full-disk encryption with LUKS

In the past, I’ve used LUKS to encrypt entire volumes, and crypttab to handle the unlock automatically at boot-time. I could use this to encrypt the entire volume on the SSD.

My concern with this is that (in my own way of thinking about it!) the encryption key must be stored unencrypted on the root/boot filesystem in order to facilitate the automatic unlock. If the device was to be stolen, this key would be available to anyone checking the filesystem. I may be misunderstanding the encryption approach here, or perhaps over-estimating an average thief’s technical ability.

Option 3: Resistance to power drops

My final thought on this is to address the root cause of the issue, and to find a solution that keeps the Pi booted when there is no mains power. For example, this could be accomplished with a UPS (Uninterruptible Power Supply).

My ask

I understand that this must not be a rare problem. If you’ve had similar experiences and have found a solution that works well for you, I’d love to hear from you!

Please reach out to me on Mastodon (@wilw@fosstodon.org) or via email (blog@wilw.dev).

📲 Enjoyed this article? Subscribe to updates!

If you would like to read more posts like this, then you can subscribe via RSS.