Debian Encrypted Volumes (auto-Boot)

[Chris Welber]

I understand the way to get the entire Proxmox server working on an encrypted host is to build a Debian encrypted system using LUKS and then manually pull down proxmox. My question is how do folks get this to securely and automatically mount so you don't need to manually enter the password each time?

Thanks!

 

[LnxBil]

This is safety technically impossible. It is only secure if you have your password NOT stored on the machine you're encrypting.

It's like having fort knox grade security system with the master key under your doormat. It does not make sense!

If you still want to do it, you can use a usb storage device as key file input. But I do not advise it.

 

[fabian]

some people use dropbear or another small sshd put into the initramfs to enable remote unlocking of the disks:

1. BIOS/UEFI
2. grub
3. initramfs
4. dropbear listens for connections
5. connect remotely and enter passphrase(s)
6. mount decrypted disks
7. rest of the boot

but since the bootloader and /boot (including initramfs and kernel) are unencrypted and not physically controlled and protected by you, this does not gain you much in terms of security compared to entering the passphrases simply via remote KVM. but it works without remote KVM, which I guess is not available / too expensive / desired in some places

automatically unlocking the disks on boot via some keydevice is at best just a means to dispose of the encrypted disks without shredding when they are not needed anymore / broken / .. (at least as long as you don't throw them away together with the key).

so I would say the first question is - why do you want to encrypt your disks? or in other words, what is your threat model?

 

[LnxBil]

Yes, what @fabian described works perfectly and I read an article about Proxmox and exactly this scheme some time ago. Please google, I'm sure you'll find it. Yet you have to type in your password afterall.