I’ve done a little research but curious about first hand experience.

I’ve got a little home server that is full disk encrypted with LUKS (+LVM, of course). It’s headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.

If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.

Because lazy, I’d prefer to be able to enter the decrypt password remotely. “Dropbear” seems to be a common suggestion but I haven’t tried it yet.

So, asking for your experience or recommendations.

I’ll start. Recommendation #1 - get a UPS : D … But besides that.

Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a “auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password” jump point.

  • SphericalCow@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    13 days ago

    If you run a system that uses dracut to manage its initramfs, then https://github.com/gsauthof/dracut-sshd might be of use to you.

    I have it setup on a server running Fedora and can’t complain. When the system reboots and plymouth shows the LUKS password prompt a ssh server is started in the background as well - so I can unlock the server either using keyboard or connect via SSH. When rebuilding the initramfs (eg. for a new kernel version) the ssh server is installed and setup automatically so I don’t really have to worry about anything after the initial setup.

    • modeh@piefed.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      12 days ago

      +1

      This is my setup as well, having a headless Fedora server, being able to unlock over SSH makes things a breeze.