While you're here, please consider supporting GamingOnLinux on:
Reward Tiers: Patreon. Plain Donations: PayPal.
This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!
You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Reward Tiers: Patreon. Plain Donations: PayPal.
This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!
You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register
- GOG launch their Preservation Program to make games live forever with a hundred classics being 're-released'
- Half-Life 2 free to keep until November 18th, Episodes One & Two now included with a huge update
- Valve dev details more on the work behind making Steam for Linux more stable
- Proton Experimental adds DLSS 3 Frame Generation support, plus fixes for Dragon Age: The Veilguard, Rivals of Aether II and more
- Direct3D to Vulkan translation layer DXVK v2.5 released with rewritten memory management
- > See more over 30 days here
-
New Hearts of Iron IV DLC lets you rewrite German histo…
- Massinissa -
Linux kernel 6.12 is out now with real-time capabilitie…
- BladePupper -
Half-Life 2 free to keep until November 18th, Episodes …
- Mambo -
Linux kernel 6.12 is out now with real-time capabilitie…
- HobbesHK -
The Walking Dead, The Expanse and more in the Telltale …
- Arehandoro - > See more comments
- Steam and offline gaming
- Dorrit - Weekend Players' Club 11/15/2024
- Ehvis - What do you want to see on GamingOnLinux?
- Liam Dawe - New Desktop Screenshot Thread
- Vortex_Acherontic - Types of programs that are irritating
- dvd - See more posts
View PC info
Here's a plan:
1) Nextcloud server on Ubuntu 20.04, LUKS disk encryption + ZFS
2) weekly backup to home PC
3) once a year backup to HDD that I would keep in a storage room, not at home
4) once a year take a snapshot, pipe to gzip, encrypt and backup to S3 Glacier storage (which is pretty cheap)
- Are there any improvements you can propose?
- I would like my home server to be able to boot automatically if power goes down briefly, I tried to save a decryption key into initrams to achieve that and it works, but that renders encryption pretty useless. Is there a way to only decrypt and boot when some kind of USB key is present?
Maybe I should encrypt only data partition and write some bash to read USB, mount data partition, then start nginx, php, etc.?
Thanks!
View PC info
That's pretty similar to my backup routine so I can't fault much. I have Nextcloud for non sensitive data that is on a Trisquel machine using LUKS and ZFS. I use Back in Time for daily snapshots; do a weekly manual backup; and monthly clone images to a physical drive which is kept in a fire proof safe. Would a Librem key work for your USB option ? I don't know a lot about them but I think they deal with having encyrption keys on USB.
https://puri.sm/products/librem-key/
I have Nextcloud in a VM on Proxmox. If I need to start/restart it remotely, I connect with OpenVPN and then SSH into the VM or use Proxmox's web gui.
View PC info
View PC info
Thanks, great tip!
Actually, this gave me a simpler and cheaper idea: USB drive with a boot partition and grub.
The steps would look like:
1) Install Ubuntu with separate unencrypted /boot (default when you select full disk encryption)
2) Create a decryption key for LUKS partition and keep it on that LUKS partition, generate initramfs with that key
3) Copy grub and boot to a USB drive
4) Test booting from USB drive
5) Delete grub and boot from server, overwrite free space with zeroes
In case you break or loose the key, you still have the passphrase to unlock the disk.
View PC info
What is the purpose of the encryption? Like what are you wanting to do?
Either you need manual intervention to unlock the encryption on boot, or you'd need the keys initramfs usb to boot, etc.
Maybe instead of full disk encryption run by the root, perhaps move the encryption toward user space?
I know NextCloud has an encryption module built in. Would something like that work?
View PC info
So far 3 use cases for that kind of encryption (USB key always in):
1) The disk is bad, I want to replace it. No need to worry about data on a bad disk.
2) Police comes in without any good reason and wants to seize all my digital devices.
Take out and lose the USB key and shutdown the server.
3) I'm moving and want to leave my server with a 3rd party for a while
I looked into that, and they only have a manual for enabling server-side encryption, zero-access encryption is also declared but I did not find any manual on that.
A thief might leave the usb key, or break it as they're running off with your hardware.
I still think just typing in a password on boot is most sensible. Unless you're treating this as a learning exercise, in which case go right ahead and describe your experiences somewhere online for posterity. :-)
If you have backups in AWS Glacier the police doesn't need to seize your devices at all, they'll know you have an AWS account if you're onto something and AWS are obliged to give them your data.
As for the backups, I run NC in docker in a PC with RAID 10 and drive encryption at home. With rsync I upload incrementally the content each night to Backblaze -cheaper than Glacier- when the network is pretty much unused.
So far has been a quite solid solution.
View PC info
It's encrypted though. Let them have it.
Thanks, it's great to know of an alternative. Although just now I found even cheaper Amazon storage class - S3 Glacier Deep Archive.
It would cost me crazy 0.36 + taxes per month to store 200 GB of data, and about 6 USD to retrieve it (which hopefully never happens, as it would mean 2 of my HDDs are dead or lost).
It takes up to 12h to access data, but that's not a problem for me.