O, I fully intend to. Just wanted to ask for opinions who have done it or have tried other things while I'm sitting here waiting for an appointment.

Plus content... Lemmy... Engagement. If nobody posts then there's nothing here

+1

This is my setup as well, having a headless Fedora server, being able to unlock over SSH makes things a breeze.

If I'm reading the docs correctly, Clevis can rely on a separate Tang server for retrieving the decryption key, right? So in that scenario I'd need to have another machine for Tang that can also auto-boot without entering a boot/LUKS password. Otherwise, if both machines (server+clevis and Tang server) were in the same room and restarted due to power loss, neither would be able to boot if both were encrypted... or did I misunderstand something important?

And I don't think I actually want "automatic" unlocking. I just want to be perform the unlock (enter LUKS password) remotely. I realize that comes with manual intervention (entering the password remotely) but I'm okay with that. I should probably have clarified that by "home server" I mean a machine the serves nice to have stuff, nothing mission critical. Plus I'm really the only one who uses it currently so I'll notice it's down when something doesn't work and can then initiate the remote unlock/boot : D

Clevis is interesting but I don't think it matches my specific situation. Glad I know about it now though, thanks for the info.

If you just want to remotely interact with LUKS to unlock it, I think dropbear-initramfs module is your only option.

Clevis+Tang is essentially the same thing but automatic, and yes it does require a separate machine and network access to that machine.

Just one... For now 😀

It's a Lenovo Tiny refurb and came with a 1TB NVMe which is plenty for playing around but I'll have to expand if I move my Jellyfin instance to it.

Ah, nice ok. Your post got me to look at dropbear a little more closely, but since I got a bunch of disks, I think USB unlock makes more sense in my setup. I'm using a keyfile on the USB to unlock a bunch of disks on boot. But if I only had one, then dropbear would be more doable for me.

Neat! Interesting post!

Cool! I might install something like this someday.

Do you use secure boot? What device is your server? I would use my laptop for that, but not sure if that's how it should work.

This is interesting, another one I hadn't heard of yet. And, the server is running Debian : )

I enjoy the intro too :

You know how it is. You’ve heard of it happening. The Man comes and takes away your servers, your friends’ servers, the servers of everybody in the same hosting facility. The servers of their neighbors, and their neighbors’ friends. The servers of people who owe them money. And like that, they’re gone. And you doubt you’ll ever see them again.
That is why your servers have encrypted root file systems

In addition to drives being safer to replace and sell, encryption at rest should also protect against theft. So the scenario being someone taking the server or its drives.
At least for me encrypting the drives gives a bit more peace of mind seeing as credentials for various accounts aren’t easily retrieved from the disks.

But yeah, this does not protect from data being read at runtime