How to unlock encrypted drives on a headless server?

Prototype700

1/30/24, 12:00 PM

I'm planning a homemade NAS-build with the following features:

Standard Ubuntu server installation with SSH server
Two Btrfs RAID1 drives on encrypted HDDs with dm-crypt
NFS shared folders from within the Btrfs RAID
Headless/limbless: Box sits in a corner without any display or peripherals

The idea is to have a redundant and checksummed network storage that is encrypted, so no personal data can be read in case it got stolen.

The problem I'm expecting is that if the system needs to be restarted (because of power outage or a kernel update), I can't manually unlock the drives on boot, because there is no video/keyboard attached. That means that the drives can't be decrypted and the Btrfs RAID is not opened on boot, which means no NFS share is available.

Has anybody attempted this and what is the best way to unlock the drives?

Is there a way to load SSH so early to be able to enter the drive unlock key on another system?

I also thought about using a keyfile in an dm-crypt keyslot, but that would be a huge security hit, because a potential thief can just retrieve it or boot the system as it is then.

108

0 + 0

server

ssh

encryption

nas

cryptsetup

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to unlock encrypted drives on a headless server?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.