Hi, I would like to encrypt my data directory with LUKS. My plan is to stop the apache service and move the data directory to another disk. Then encrypt the disk and move the data back. I will mount the newly encrypted disk at the same mount point as before. So the path to the directory will not change. Does somebody see an issue with this? Because moving the data directory sometimes raises issues. But with this the directory will not really move.
And is there any issue known with having the data directorie encrypted? For example if at startup the directory is not decrypted?
There’s no problem with this; the mount point will stay the same and the un-encrypted partition is presented to Nextcloud, so it’s completely transparent.
If Apache/Nextcloud is started with no data directory then that could cause a problem. You will need to un-lock it first.
Ok, thanks. I will disable “autostart” of Apache and start it per script only of the drive is sucessfull encrypted … Need to figure out how.
Are the drives not un-locked when you boot up?
My server is not running 24/7. It shuts down if idle. And the boot partition is not encrypted. So I will be not able to fill in the encryption key every time the server boots up. I will use another client which is 24/7 available to store the key and will unlock the drives by a script and add this to the @reboot crontab.
If you are on Red Hat/Centos Clevis/Tang might be of interest for network-bound disk encryption:
Thanks, I’m using debian strech on this server.