Re: Should I encrypt servers at my home lab?

[Jeffrey Walton <noloader@gmail.com>]

On Sat, Oct 4, 2025 at 5:18 PM <whiteman808@paraboletancza.org> wrote:
>
> I've started building my home lab and currently I'm going to host stuff like nginx, jabber server, mail, git hosting.
>
> The stuff I want to specially protect will likely be in e-mail and jabber conversations contents, and situations when someone is forgetting to encrypt them are not rare. I mean mostly received e-mails or friends who misconfigure their Jabber clients.

Even encrypted chats can be pierced.  Chelsea Manning used
Off-the-record Messaging (OTR) with Adrian Lamo.  Plausible
deniability did not help Manning.

> I want to protect against burglary and (most probable) against unwanted access to disk contents when I give my hardware to the service to repair it. I'm also doing torrenting (I personally don't like copyright law and support copyleft related movements) and want to protect also against seizing hardware by police (never happened in my home but not impossible).

For Tor, you should _not_ run an exit node.  From
<https://blog.torproject.org/tips-running-exit-node/>: "In general,
running an exit node from your home Internet connection is not
recommended...".

If you do run an exit node, then you are putting yourself in jeopardy
of having a law enforcement visit and your equipment seized, which is
directly opposed to your goals.

> Do you think that it's good idea to do full disk encryption on my server? Is remote unlocking server by supplying password through dropbear-based ssh in initramfs secure?

Others are providing input on this topic, but I will make one comment.
The unattended key storage problem is a wicked hard problem in
computer science.  It is a problem without a solution.  About the best
you can do is, you are the operator to enter the key or password
during boot.  See Peter Gutmann's Engineering Security book,
<https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>.

Jeff