[š” Guide] How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server
-
@murgero thanks for your feedback and good points! Good to hear you found it useful.
Trust is an important consideration as well as understanding your threat models and attack vectors
I think Hetzner got their sh*t together and there are some really insightful behind-the-scenes/dc tours on TY too. If your hoster factors in your threat model, I'd suggest you look for a more... dedicated solution than a mainstream hoster #trustnoone
I spent waaayyy too much time on this recently... almost like there was a break in real work
-
@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)
Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.
I only say this because the one time I choose to use full disk encryption during install I ended up not using that machine for a while and forgetting the password and so I lost everything on that machine because I couldn't access it (admittedly this was in the days before I used a password manager to remember stuff)
-
@jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.
Oh hell yes, that goes without saying although you are right: it probably needs to be stated repeatedly and emphatically
I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down, I need to restore and all my decryption keys etc were locked away (yes, there should have been a copy offline on my device... don't ask!).
-
@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down
Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.
Do you know if there is a good way to back them all up locally in case that happen?
-
@murgero said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
Bitwarden keeps a local cache
you mean the phone app? or desktop? or both?
I only ever use the browser plugin and the phone app.
-
@jdaviescoates yeah it lets me access my passwords even offline, I use phone, plugin, and desktop app.
-
@jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down
Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.
Do you know if there is a good way to back them all up locally in case that happen?
Use the CLI tool!
I use a modified version of this on my local mac (results in a decrypted backup): https://github.com/broizter/BitwardenBackup/blob/master/bitwardenbackup.sh
There's also the "official" version (results in an encrypted backup):
https://bitwarden.com/de-DE/blog/how-to-back-up-and-encrypt-your-bitwarden-vault-from-the-command-line/ -
@necrevistonnezr said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
Use the CLI tool!
I've never investigated that, thanks, I shall now investigate (although I'm generally more of a GUI person than a CLI person although admittedly the latter is far superior for many purposes - and I am still quite often in the terminal)
-
@Stardenver yes it is. I also have it running on baremetal at home/office.
My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.
Happy to expand on this if folks find it useful
-
@JOduMonT said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?
Yep, this is covering only against scenarios where actors might gain access to the drive or volume your data resides on when the machine is offline.
Think of security as layers of an onion and this is just one layer for one(ish) attack vector.
As part of my information security policy, I need to protect data at rest (e.g. hard drives of servers, laptops, phones and backup media) and prevent unauthorised access when machines are running. So full disk encryption satisfies that requirement nicely and being able to do it from afar on a virtualised or bare-metal system like at Hetzner makes it pretty convenient too.
My concern with home/office is theft and with hosters or data centres in general, that drives may end up being replaced or recycled. Hetzer and hosters like them will have easy physical access, so LUKS protects against someone going to the machine, turning it off and passing the drive on to someone else for whatever reason.
Happy to expand and try to answer any questions, with the caveat that I am not offering professional advice nor does it come with any guarantees
-
-
This might not apply to you but I thought I'd share an alternative way to have your cake and eat it, in case you don't fancy encrypting the whole Cloudron.
Find out how to move your Nextcloud app data directory to an encrypted volume in my new post.
-
@3246 said in [ Guide] How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:
@Stardenver yes it is. I also have it running on baremetal at home/office.
My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.
Happy to expand on this if folks find it useful
Thanks again for your setup guide. Just got a new server and its up and running. May I ask how you'd setup your system, so that additional drives are also encrypted and unlock after decrypting the main drive?