yes
You can encrypt any drive with LUKS. But you need to unlock it individually. And if you use ZFS you can use the ZFS native encryption.
Encrypted drives won't give you any protection as long as they are unlocked. So with that in mind its a good thing to have additional encrypted drives that you may only unlock if you really need to access it. For example a dedicated drive as backup storage. If you only do manual backups once a month or so, it would be useful to just unlock it as long as you need it, so most of the time the backups are encrypted and unaccessible.
Docker will run inside a LXC but as far as I know the staff is still recommending installing Docker to a VM. And if you want to run some services that are accessible from the internet or you need to mount some SMB/NFS shares I would always choose VMs and not LXCs. They are just more secure because of the better isolation and less annoying to manage. For example you can't mount any SMB/NFS shares inside a unprivileged LXC. And if you mount that share on the host and use bind-mount to bring it into the LXC you can't use snapshots anymore.
I must have asked that LUKS question about half a dozen times but it only just clicked why I cannot see it when setting up because you used the word unlock lol, thanks!
That really depends. I want all my disks unlocked while or right after boot so that everything is always accessible. I don't have data thats needs to be super secure and therefore it doesn't need to be decrypted on the fly. The two benefits I want are:
What I want is pretty much what you described. If a drive dies or if someone steals them (or the server) I don’t want to worry about if they have access to my data. I understand the risks of hackers or whatever being able to penetrate while they are live, it’s more about if they are ever taken away.
enjoying the testing but that’s why I prefer a separate nested instance lolSure, pepending on your hardware you could also try to PCI passthrough a NIC to the VM so the VM got direct physical access to the NIC without virtio virtualization.
That depends. Does your router support LACP?
I don't know that.
If I mess around with the network interfaces I try to only change one NIC at a time so that I atleast always have one working connection to be able to SSH into the system to manually change the "/etc/network/interfaces".I was messing around with the networking and other settings and screwed it up to the point of needing a reinstall
In theory yes, as one can shoot themselves in the foot, but I'd not recommend both of that at all.
It does not, so I guess that’s a No… I could still use the end NIC exclusive to a specific VM right? I tried adding both to the virtual bridge but it wouldn’t work. If I try to create a second bridge it says I can’t use the same subnet. Lots to learn I guess!
I think I created some kind of loop and the system wouldn’t boot at all. The router also went offline. May have been a coincidence but I couldn’t even SSH in afterwards which was weird. It was easier to reinstall than to try to fix it as it was a fairly new test setup.
If you want to add both to a bridge you need to create a bond first so both NICs team up to work as a single NIC. There are some types of bonds that will work without LACP (active-passive/failover for example) but without LACP you won't get loadbalancing and therefore no better bandwidth.
I don't talk about PCI slots. Your onboard devices should use PCIe too. So you can PCI passthrough onboard stuff like the NICs.
