Appliance with LUKs root encryption

Keeebs

Anyone successfully convert the appliance to a LUKs encrypted root partition? TY

jassonmc

I would be highly interested in that matter as well.

mwilliams

While technically possible, why bother doing this for the root partition and instead not encrypting the protection-worthy data only instead?

Is https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-security-cryptofs.html not sufficient enough?

Keeebs

In my opinion, no. The root partition absolutely needs to be encrypted if you care about your data. What if a malicious actor or worm or other malware copies a script to the unencrypted root partition to copy the unlocked mailboxes off the server or encrypt them for a ransomware attack or who knows what else?

kslt90

Keeebs
If the system is running, everything is unencryptet. Disk encryption just protects you against unauthorized snapshots or physical theft.
If you want to protect the data you have to store them already encrypted on the server.

mwilliams

Keeebs

💯 for @kslt90

Keeebs

kslt90
You are only looking at one side of a multi-dimensional risk. Unless you are manually unlocking that data drive on every boot, your encrypted data drive is unlocked by way of instructions from an unencrypted root. All one needs is a recovery disk or to mount the virtual root disk, install their vulnerability and boot the server that conveniently decrypts your encrypted data drive for the attacker to copy the data.

With an encrypted root, you can enforce secure boot on top of the encryption safeguarding those unlock instructions for the encrypted data disk making the system much more difficult to compromise. If an attacker can't compromise the root, they will have to fallback to conventional vulnerabilities, brute forcing the data disk, or compromise by some other means - all of which are much harder and require significantly more skill (and likely time) then simply breaching the unencrypted root.

WalterH

Ask Google, you find instructions how to convert the root partition of a running system to LUKs.

kslt90

Keeebs
I didn't want to say that disk encryption is useless. I have my VPS also fully encrypted, because i don't like the idea that the hoster can easily make a snapshot of my system.
But you talked about worms or malware which copy scripts or something to your system to decrypt data.
If you have already malware on your system there is no need to copy something to your root partition. The malware can gather the data directly from your running (and therefore decrypted) system.
So in my opinion server side disk encryption is a bit of snakeoil because it often gives people a false feeling of security.

WalterH

As stated above there are many tutorials how to convert an existing root partition to LUKs, like this tutorial: https://opencraft.com/tutorial-encrypting-an-existing-root-partition-in-ubuntu-with-dm-crypt-and-luks/