this post was submitted on 03 Feb 2024
16 points (100.0% liked)

Selfhosted

40313 readers
287 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I currently have a storage server with the following config.

Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os

I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don't mind using 2fa, but I don't want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.

My questions:

  1. Is there a better way to encrypt my data at rest?

  2. Is there a better layer at which to apply the encryption?

I'm mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.

--

Thank you everyone for these great responses! I'll be looking into these ideas :)

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 9 points 9 months ago (1 children)

You can layer them however you want, so you can slap luks on the physical drives, or the mdraid, or the individual LVM volumes as you do right now. If the entire setup is either locked or unlocked, luks between the raid and LVM PV makes sense. Having luks on the individual LVs have the advantage that you can have your data partially unlocked.

2FA is complicated. You can use a second factor like, you need to enter both a password and be in possession of the flash drive, but you can't do it with the standard TOTP codes because you need the key to validate them in the first place.

One thing you can explore is TPM: the computer can detect if it's been tampered with, and if all checks out, it will unwrap the key. You can add a password or flash drive as a second factor. There's also the whole smartcard rabbit hole.

What exactly are you unsatisfied with? I think that's a better starting point to advise on.

[–] socphoenix@midwest.social 5 points 9 months ago

Second the key-password combo. It keeps the keys you have on the flash drive but adds a password component that thieves would need to figure out as well. Just make sure to pick a good password!