Hello.
I bought a second laptop and want to make a home server out of the old one to run all sorts of useful stuff on it. I want to use full disk encryption on it!
In this case, I will have only two partitions: ESP, where only the bootloader file will be stored, and a LUKS partition with lvm volumes for / and home.
Now the most confusing part: how can I remotely unlock the system (enter the password) so that I don’t have to go to another room, climb onto the cabinet, open the lid and enter the password?
The “home server” will be connected to the router on OpenWrt 24/7, if that matters.
Here are the results of looking up "unlock luks encryption on boot remotely":
https://askubuntu.com/questions/996155/how-do-i-automatically-decrypt-an-encrypted-filesystem-on-the-next-reboot (https://askubuntu.com/questions/996155/how-do-i-automatically-decrypt-an-encrypted-filesystem-on-the-next-reboot)
https://www.privex.io/articles/unlock-luks-remotely-ssh-dropbear/ (https://www.privex.io/articles/unlock-luks-remotely-ssh-dropbear/)
https://github.com/Am0rphous/Unlock-LUKS-Encryption-Remotely (https://github.com/Am0rphous/Unlock-LUKS-Encryption-Remotely)
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/ (https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/)
Good luck! ;)
Edit: there's also this (https://discuss.privacyguides.net/t/remote-access-after-reboot-for-full-disk-encryption/18819). It looks like everything's easier if /boot is not encrypted, and since it's a home server, I don't really see a need for it (the choice is up to you though)
This is NOT FDE! Don't litter!
Yeah, sorry, my bad, the first 4 links aren't exactly what you want. But doesn't the last one from privacyguides.net answer your question?
Maybe a TinyPilot would work for your setup - it's a DIY ILO port for your server.
https://github.com/tiny-pilot/tinypilot
There may be similar projects out there like this too.
I have a friend who got me hooked on artix, which has its own tiny bootloader with encryption support and remote unlocking.
That is, you send such a computer a wol-packet directly from the terminal and in response you get an ssh invitation. But he is in no hurry to share the code, because "The world is not ready for this yet."
Perhaps TinyPilot or something similar is the only option. Thank you!
Tell your friend to never ever mention that again and make sure you forget his name, for his own sake.
Why is that? Seriously, I would shout this to everyone, and I still couldn't digest or assimilate the phrase "The world is not ready for this". You know something, admit it! :)
If said friend is able to program such magick and says "the world is not ready for this", I'd believe him.
Btw FDE is useful on portable devices, like laptops and mobile phones, so that thief cant just get your data.
For servers, FDE is not necessary, but you can encrypt data partitions like / or /home or swap, leaving /boot unencrypted
or you can install without encryption some distro, then install encrypted linux distro inside Virtual Machine, that way you can have access to Server easily