Usually my process is very… hammer and drill related - but I have a family member who is interested in taking my latest batch of hard drives after I upgraded.
What are the best (linux) tools for the process? I’d like to run some tests to make sure they’re good first and also do a full zero out of any data. (Used to be a raid if that matters)
Edit: Thanks all, process is officially started, will probably run for quite a while. Appreciate the advice!
it’s not much use now, but to basically avoid the entire issue just use whole disk encryption the next time. Then it’s basically pre-wiped as soon as you “lose” the encryption key. Then simply deleting the partition table will present the disk as empty and there’s no chance of recovering any prior content.
Does one have to supply the password at each boot with what you are describing - this sounds like the password is somewhere in the partition table. If so what do I google to learn more?
There’s many different ways with different performance tradeoffs. for example for my Homeland server I’ve set it up that I have to enter it every boot, which isn’t often. But I’ve also set it up to run a ssh server so I can enter it remotely.
On my work laptop I simply have to enter it on each boot, but it mostly just goes into suspend.
One could also have the key on a usb stick (or better use a yubikey) and unplug that whenever is reasonable.
There are many ways to setups full disk encryption on Linux, but the most common all involve LUKS. Providing a password at mount (during boot, for a root partition or perhaps later for a “data” volume) is a but more secure and more frequently done, but you can also use things like smart cards (like a Yubikey) or a keyfile (basically a file as the password rather than typed in) to decrypt.
So, to actually answer your question, if you dont want to type passwords and are okay with the security implementations of storing the key with/near the system, putting a keyfile on removable storage that normally stays plugged in but can be removed to secure your disks is a common compromise. Here’s an approachable article about it.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
it’s not much use now, but to basically avoid the entire issue just use whole disk encryption the next time. Then it’s basically pre-wiped as soon as you “lose” the encryption key. Then simply deleting the partition table will present the disk as empty and there’s no chance of recovering any prior content.
Does one have to supply the password at each boot with what you are describing - this sounds like the password is somewhere in the partition table. If so what do I google to learn more?
There’s many different ways with different performance tradeoffs. for example for my Homeland server I’ve set it up that I have to enter it every boot, which isn’t often. But I’ve also set it up to run a ssh server so I can enter it remotely.
On my work laptop I simply have to enter it on each boot, but it mostly just goes into suspend.
One could also have the key on a usb stick (or better use a yubikey) and unplug that whenever is reasonable.
There are many ways to setups full disk encryption on Linux, but the most common all involve LUKS. Providing a password at mount (during boot, for a root partition or perhaps later for a “data” volume) is a but more secure and more frequently done, but you can also use things like smart cards (like a Yubikey) or a keyfile (basically a file as the password rather than typed in) to decrypt.
So, to actually answer your question, if you dont want to type passwords and are okay with the security implementations of storing the key with/near the system, putting a keyfile on removable storage that normally stays plugged in but can be removed to secure your disks is a common compromise. Here’s an approachable article about it.
Search terms: “luks”, " keyfile", “evil maid”
store it in tpm