Selfhosted

In addition to "encryption at rest", also consider that your devices might be exploited over the internet, so attackers may be able to access the decrypted state that way. To guard against that, you may wish to encrypt certain documents with an additional password, even if they are sitting on an encrypted file system.

Recall that within a month, the widely SSH was exploited and a backdoor added to every machine. I had upgraded to that SSH version. I didn't run an SSH server on that box, but it goes to show that even those who take precautions can end up exploited!

Yes, all, no matter what data is, it's not hard and doesn't have any consequences, but protects from many inconvenient accidents

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

12 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #686 for this sub, first seen 17th Apr 2024, 08:25] [FAQ] [Full list] [Contact] [Source code]

Always, if nothing else it makes "wiping" them securely easier.

Yes.

I encrypt about everything. Laptop, server, backups, external hdds that are just for me. (Only thing I don't encrypt is a VPS. It's hosted on somebody else's hardware and they'd be able to break the encryption anyways if they wanted.)

I just put LUKS on it before formatting a filesystem. For the OS I use the good old approach with LUKS and a LVM inside.

I mean if you don't encrypt the backups, the encrytion of the system is kind of meaningless, isn't it?

On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.

No,

There is all the backup of all my family pictures in the drives.

If something happens to me I want to make due that they will have access to it.

I have two WebDAV shares, one unencrypted and one encrypted. The unencrypted one is for things that need to be read by other services, like legally obtained movies and tv shows. The encrypted one is for porn, mostly (also stuff like tax documents, legal contracts, etc).

This is the server I use

https://hub.docker.com/r/sciactive/nephele

It’s really easy to set it up for encryption. Also, I wrote it. :)

Have you tried secure-erasing a disk?

Absolutely yes, I do enctypt my drives so I don't have to ever do that again. This isn't as critical for SSDs but it's still a good idea. Even if you keep the key stored on the same system, securely deleting a tiny file is way easier than a whole disk.

Use Cryptomator to have your data safe from prying eyes.

I don't do anything that warrants it, but if I did have sensitive data that I was worried about being stolen, those drives would be in a system completely cut off from the Internet to prevent remote theft, and encrypted in the event of a physical theft. If I was especially paranoid, I'd booby trap the drives to wipe themselves if they are tampered with.

Nope. This isn't part of my threat model.

I don't have sensitive data and stealing a drive would be inconvenient for a thief.

How do you even encrypt a server so that it doesn’t require human intervention every time it goes down/restarts?

I did have LUKS and a USB flash drive with a key to be inserted on boot. It was definitely difficult and caused performance issues. It was particularly difficult to add/remove drives from the array. These days I only encrypt my off-site backups that sit at the office where my coworkers potentially have physical access.

There have been recent advancements in TPM so disk encryption is easier to maintain and doesn't affect performance. I'll need to investigate this one day. My server/NAS is a 4th-gen i5, so it may not support the functions I would need. Full disk encryption will land in Ubuntu soon. I'm hanging out for that.

This shouldn't even be a question lol. Even if you aren't worried about theft, encryption has a nice bonus: you don't have to worry about secure erasing your drives when you want to get rid of them. I mean, sure it's not that big of a deal to wipe a drive, but sometimes you're unable to do so - for instance, the drive could fail and you may not be able to do the wipe. So you end up getting rid of the drive as-is, but an opportunist could get a hold of that drive and attempt to repair it and recover your data. Or maybe the drive fails, but it's still under warranty and you want to RMA it - with encryption on, you don't have to worry about some random accessing your data.

I keep my drives encrypted with a key currently hosted in my router hoping they wouldn’t steal that. I’m thinking of actually putting it to cloud so I can disable it remotely.

It was quite a ride to make everything work and I made a blog post explaining it so I remember what I did.

https://nowicki.io/self-hosting-lvm-raid1-with-key-over-ftp/

I use full disk encryption for every server (and other computers).

Encrypting your data drives is a must for everyone imho. Encrypting the OS is a must for me🤷‍♂️

No. If someone gets to my server that’ll be the least of my worries.

It's a relatively low performance hit and it benefits me when having to replace a failing/old disk. I can just toss the drive without having to erase the data first, that is as long as the key is a secure length.

Yes of course, with dm-crypt (luks), very little as AES-NI is incredibly fast.