Encrypt data directory with LUKS

MelBourbon · May 21, 2018, 3:58pm

Hi, I would like to encrypt my data directory with LUKS. My plan is to stop the apache service and move the data directory to another disk. Then encrypt the disk and move the data back. I will mount the newly encrypted disk at the same mount point as before. So the path to the directory will not change. Does somebody see an issue with this? Because moving the data directory sometimes raises issues. But with this the directory will not really move.

And is there any issue known with having the data directorie encrypted? For example if at startup the directory is not decrypted?

yourcloudasia · May 22, 2018, 6:25am

There’s no problem with this; the mount point will stay the same and the un-encrypted partition is presented to Nextcloud, so it’s completely transparent.

If Apache/Nextcloud is started with no data directory then that could cause a problem. You will need to un-lock it first.

MelBourbon · May 22, 2018, 7:08pm

Ok, thanks. I will disable “autostart” of Apache and start it per script only of the drive is sucessfull encrypted … Need to figure out how.

yourcloudasia · May 23, 2018, 2:23am

Are the drives not un-locked when you boot up?

MelBourbon · May 24, 2018, 11:04am

My server is not running 24/7. It shuts down if idle. And the boot partition is not encrypted. So I will be not able to fill in the encryption key every time the server boots up. I will use another client which is 24/7 available to store the key and will unlock the drives by a script and add this to the @reboot crontab.

alfred · May 24, 2018, 11:55am

If you are on Red Hat/Centos Clevis/Tang might be of interest for network-bound disk encryption:

https://blog.cloudpassage.com/2017/12/21/network-bound-disk-encryption-red-hat-linux-7/

MelBourbon · May 28, 2018, 5:48pm

Thanks, I’m using debian strech on this server.