Re: Should I encrypt servers at my home lab?

To: whiteman808@paraboletancza.org
Cc: debian-user@lists.debian.org
Subject: Re: Should I encrypt servers at my home lab?
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Sat, 4 Oct 2025 19:37:33 +0000
Message-id: <[🔎] aOF3fWpvuy4nYTuH@einval.com>
In-reply-to: <[🔎] 94dce4d6a135a4ac84f6ff877f307d3d467939ef@paraboletancza.org>
References: <[🔎] 94dce4d6a135a4ac84f6ff877f307d3d467939ef@paraboletancza.org>

On Sat, Oct 04, 2025 at 06:39:30PM +0000, whiteman808@paraboletancza.org wrote:

[Reformatted for long lines]

> Hey.
> 

Hi whiteman808

> I've started building my home lab and currently I'm going to host stuff
>  like nginx, jabber server, mail, git hosting.
> 

A couple of assumptions:
This is at home - you will have direct access to it. You are doing your own
sysadmin and will be responsible for the security. Currently, all services
on one machine?

> The stuff I want to specially protect will likely be in e-mail and
> jabber conversations contents, and situations when someone is forgetting
> to encrypt them are not rare. I mean mostly received e-mails or friends
> who misconfigure their Jabber clients.
> 

So you're storing some personal data but you're not providing email
hosting or services to others. The privacy is essentially for your own
piece of mind and doesn't have to be secured to government/banking
standards. Do you have backups in case of data loss - if not, do you care?

> I want to protect against burglary and (most probable) against unwanted
> access to disk contents when I give my hardware to the service to repair
> it. I'm also doing torrenting (I personally don't like copyright law and
> support copyleft related movements) and want to protect also against
> seizing hardware by police (never happened in my home but not impossible).
> 

>From your email address, there's no obvious sign of which country you are
in. Xkcd 538 (https://xkcd.com/538) applies - collaboration with law
enforcement is generally advised - weigh up what's worth fighting for if
there's a possibility of serious confrontation with goverment-backed agencies.
If you're bothered about *all* your data at rest, full disk encryption
might be worth it but there's a trade off: increased complexity in set
up and maintenance when kernels and so on update and the contents of
/boot change.

> Do you think that it's good idea to do full disk encryption on my
> server?
> Is remote unlocking server by supplying password through dropbear-based
> ssh in initramfs secure?
> 

If you allow ssh from anywhere other than internally on a network, are
you secure at all? With luck, this is a server that will run 24/7 and 
that you will only update with regular security updates and reboot only
when kernels change or security updates require it.

Security is a process - in some sense it will never be complete but you
have to do whatever you can to keep your own balance of time cost,
personal effort and complexity with your own peace of mind. Weigh up your
real risks as against all of the above and write a plan to implement.

With very best wishes, as ever,

Andrew Cater
(amacater@debian.org)

> Thank you,
> whiteman808
>

Reply to:

References:
- Should I encrypt servers at my home lab?
  - From: whiteman808@paraboletancza.org

Prev by Date: Re: Should I encrypt servers at my home lab?
Next by Date: Re: diff files
Previous by thread: Re: Should I encrypt servers at my home lab?
Next by thread: Re: Should I encrypt servers at my home lab?
Index(es):
- Date
- Thread