I am looking for some recommendations on how to secure the data of my physical servers (against physical theft), that I am about to set up. I am new to selfhosting but have a few years of experience running Linux on a desktop.
My usecase is a simple debian(?) server at home with Paperless ngx and Tailscale for when I am away from home.
The question is how to encrypt the data while still being able to keep the server updated.
Coming from Desktop my first thought was to simply enable FDE on install. But that would mean supplying the password everytime the server needs to reboot for an update. Could someone provide some insights on how often updates to debian require a reboot?
My second thought was to use an encrypted data partition. That way the server could reboot and I could use wireguard to ssh in and open the partition even when I am away from home for a longer time.
I am open to other ideas!
Since I already use ZFS for my data storage, I just created a private dataset for sensitive data. I also have my services split based on if it’s sensitive or not, so the non sensitive stuff comes up automatically and the sensitive stuff waits for me to log in and unlock the dataset.
Not using ZFS but a similar approach: All my data (paperless, and other docker container data) is encrypted with LUKS on a separate disk. The OS is running unencrypted on the SD card (using a Raspberry Pi). This way I can swap out the system and relink the docker container data if needed. Yes, I do need to unlock after a reboot, but since the system is fully up, that’s done easily via ssh.
Still looking into ways to unlock it automatically on certain criteria…