Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Optional full-disc encryption

Optional full-disc encryption

Scheduled Pinned Locked Moved Feature Requests
encryptionsecurity
19 Posts 6 Posters 2.8k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • marcusquinnM marcusquinn

    It would be an additional layer of protection for GDPR compliance expectations — to protect somewhat further against any attack vector directly from a host via a bad-actor or social-engineering.

    (If it can happen to Twitter, I'm sure it's more common than perviously suspected, and as software systems are hardened and the vectors decreasing, the next best alternative target, as we have seen is simply bribery, phishing or manipulation for privileged access)

    Respecting that this may mean re-entering the key on each reboot - but having a Cloudron approved and standardised method for this would be an additional reassurance when using any host that doesn't offer this by default, or in preferring to doing it in a way so the host could possibly not have a copy of the key to unlock.

    I realise this isn't for everyone, so should be opt-in - but having used FileVault on Mac without issue for a decade, and a good multi-location backup strategy with regular restoration testing throughout the community, I think any concerns would be outweighed but the advantages of peace of mind for admins, users, audiences and authorities.

    W Offline
    W Offline
    will
    wrote on last edited by
    #9

    @marcusquinn I have my disk fully encrypted for data at rest.
    Its a pain on reboots, but I don't reboot often.

    1 Reply Last reply
    2
    • nebulonN nebulon

      I think the question really is if this is the scope of Cloudron or if it is sufficient to be able to use the built-in default FDE from ubuntu server. Choosing the latter already shows heavy dependency on server vendor, since a quick search for how one would do this with only DigitalOcean reveals a host of issues and seemingly half-hearted solutions.
      If one installs Ubuntu on a hardware server in say the office, then the FDE coming with Ubuntu during the installation process works well and already solves this issue. This is way before Cloudron comes to the party as far as I can tell.

      W Offline
      W Offline
      will
      wrote on last edited by
      #10

      @nebulon On the scope question, do you view the Cloudron server as an appliance? If so, FDE during setup my be good, or an optional switch or something.

      marcusquinnM 1 Reply Last reply
      1
      • marcusquinnM marcusquinn

        It would be an additional layer of protection for GDPR compliance expectations — to protect somewhat further against any attack vector directly from a host via a bad-actor or social-engineering.

        (If it can happen to Twitter, I'm sure it's more common than perviously suspected, and as software systems are hardened and the vectors decreasing, the next best alternative target, as we have seen is simply bribery, phishing or manipulation for privileged access)

        Respecting that this may mean re-entering the key on each reboot - but having a Cloudron approved and standardised method for this would be an additional reassurance when using any host that doesn't offer this by default, or in preferring to doing it in a way so the host could possibly not have a copy of the key to unlock.

        I realise this isn't for everyone, so should be opt-in - but having used FileVault on Mac without issue for a decade, and a good multi-location backup strategy with regular restoration testing throughout the community, I think any concerns would be outweighed but the advantages of peace of mind for admins, users, audiences and authorities.

        murgeroM Offline
        murgeroM Offline
        murgero
        App Dev
        wrote on last edited by murgero
        #11

        @marcusquinn This can be done in linux and can be done with or without Cloudron. Luks can be enabled on any server you own running any modern linux flavor. You enable it during server install.

        Essentially what I mean is - it cannot encrypt the drive completely after installing linux. While installing Ubuntu server, enable disk encryption via the disk menu, then install ubuntu as normal. Reboot, install cloudron - boom full disc encrytion.

        If cloudron and ubuntu are already installed you can encrypt the home folder with Luks but not the disk.

        Good luck

        --
        https://urgero.org
        ~ Professional Nerd. Freelance Programmer. ~

        necrevistonnezrN 1 Reply Last reply
        2
        • nebulonN nebulon

          I think the question really is if this is the scope of Cloudron or if it is sufficient to be able to use the built-in default FDE from ubuntu server. Choosing the latter already shows heavy dependency on server vendor, since a quick search for how one would do this with only DigitalOcean reveals a host of issues and seemingly half-hearted solutions.
          If one installs Ubuntu on a hardware server in say the office, then the FDE coming with Ubuntu during the installation process works well and already solves this issue. This is way before Cloudron comes to the party as far as I can tell.

          murgeroM Offline
          murgeroM Offline
          murgero
          App Dev
          wrote on last edited by
          #12

          @nebulon I do not believe this is a cloudron related question as full-disk encryption is not possible to do after installing ubuntu, but only during install.

          Home folder encryption IS possible though

          --
          https://urgero.org
          ~ Professional Nerd. Freelance Programmer. ~

          marcusquinnM 1 Reply Last reply
          2
          • W will

            @nebulon On the scope question, do you view the Cloudron server as an appliance? If so, FDE during setup my be good, or an optional switch or something.

            marcusquinnM Offline
            marcusquinnM Offline
            marcusquinn
            wrote on last edited by
            #13

            @will I can see it becoming so - especially if my suggestion here gets traction: https://forum.cloudron.io/topic/2952/terraform-new-cloudron-vps-instances

            Web Design https://www.evergreen.je
            Development https://brandlight.org
            Life https://marcusquinn.com

            1 Reply Last reply
            0
            • murgeroM murgero

              @nebulon I do not believe this is a cloudron related question as full-disk encryption is not possible to do after installing ubuntu, but only during install.

              Home folder encryption IS possible though

              marcusquinnM Offline
              marcusquinnM Offline
              marcusquinn
              wrote on last edited by
              #14

              @murgero Yeah - but I can see that becoming something Cloudron could do too if terraforming new instances were added: https://forum.cloudron.io/topic/2952/terraform-new-cloudron-vps-instances

              Web Design https://www.evergreen.je
              Development https://brandlight.org
              Life https://marcusquinn.com

              murgeroM 1 Reply Last reply
              0
              • murgeroM murgero

                @marcusquinn This can be done in linux and can be done with or without Cloudron. Luks can be enabled on any server you own running any modern linux flavor. You enable it during server install.

                Essentially what I mean is - it cannot encrypt the drive completely after installing linux. While installing Ubuntu server, enable disk encryption via the disk menu, then install ubuntu as normal. Reboot, install cloudron - boom full disc encrytion.

                If cloudron and ubuntu are already installed you can encrypt the home folder with Luks but not the disk.

                Good luck

                necrevistonnezrN Offline
                necrevistonnezrN Offline
                necrevistonnezr
                wrote on last edited by necrevistonnezr
                #15

                @murgero said in Optional full-disc encryption:

                @marcusquinn This can be done in linux and can be done with or without Cloudron. Lux can be enabled on any server you own running any modern linux flavor. You enable it during server install.

                Essentially what I mean is - it cannot encrypt the drive completely after installing linux. While installing Ubuntu server, enable disk encryption via the disk menu, then install ubuntu as normal. Reboot, install cloudron - boom full disc encrytion.

                If cloudron and ubuntu are already installed you can encrypt the home folder with lux but not the disk.

                Good luck

                I was wandering was "lux" was, until I realized you probably meant Luks, right?

                murgeroM marcusquinnM 2 Replies Last reply
                0
                • necrevistonnezrN necrevistonnezr

                  @murgero said in Optional full-disc encryption:

                  @marcusquinn This can be done in linux and can be done with or without Cloudron. Lux can be enabled on any server you own running any modern linux flavor. You enable it during server install.

                  Essentially what I mean is - it cannot encrypt the drive completely after installing linux. While installing Ubuntu server, enable disk encryption via the disk menu, then install ubuntu as normal. Reboot, install cloudron - boom full disc encrytion.

                  If cloudron and ubuntu are already installed you can encrypt the home folder with lux but not the disk.

                  Good luck

                  I was wandering was "lux" was, until I realized you probably meant Luks, right?

                  murgeroM Offline
                  murgeroM Offline
                  murgero
                  App Dev
                  wrote on last edited by
                  #16

                  @necrevistonnezr oh shit I always misspell it, yes Luks LMAO

                  --
                  https://urgero.org
                  ~ Professional Nerd. Freelance Programmer. ~

                  1 Reply Last reply
                  0
                  • marcusquinnM marcusquinn

                    @murgero Yeah - but I can see that becoming something Cloudron could do too if terraforming new instances were added: https://forum.cloudron.io/topic/2952/terraform-new-cloudron-vps-instances

                    murgeroM Offline
                    murgeroM Offline
                    murgero
                    App Dev
                    wrote on last edited by
                    #17

                    @marcusquinn said in Optional full-disc encryption:

                    @murgero Yeah - but I can see that becoming something Cloudron could do too if terraforming new instances were added: https://forum.cloudron.io/topic/2952/terraform-new-cloudron-vps-instances

                    You misunderstand - There is no possible way to fully encrypt EXT3/4 partitions AFTER linux is installed. AFAIK - there is no work around.

                    What you are asking for can only be done during OS install.

                    The only solution I can see here is "Home Folder Encryption" which would be enough here as Cloudron stores most of it's data in it's home folder right @girish ?

                    --
                    https://urgero.org
                    ~ Professional Nerd. Freelance Programmer. ~

                    marcusquinnM 1 Reply Last reply
                    2
                    • necrevistonnezrN necrevistonnezr

                      @murgero said in Optional full-disc encryption:

                      @marcusquinn This can be done in linux and can be done with or without Cloudron. Lux can be enabled on any server you own running any modern linux flavor. You enable it during server install.

                      Essentially what I mean is - it cannot encrypt the drive completely after installing linux. While installing Ubuntu server, enable disk encryption via the disk menu, then install ubuntu as normal. Reboot, install cloudron - boom full disc encrytion.

                      If cloudron and ubuntu are already installed you can encrypt the home folder with lux but not the disk.

                      Good luck

                      I was wandering was "lux" was, until I realized you probably meant Luks, right?

                      marcusquinnM Offline
                      marcusquinnM Offline
                      marcusquinn
                      wrote on last edited by
                      #18

                      @necrevistonnezr Not even sure I remember now - PBKAC 😂

                      Web Design https://www.evergreen.je
                      Development https://brandlight.org
                      Life https://marcusquinn.com

                      1 Reply Last reply
                      0
                      • murgeroM murgero

                        @marcusquinn said in Optional full-disc encryption:

                        @murgero Yeah - but I can see that becoming something Cloudron could do too if terraforming new instances were added: https://forum.cloudron.io/topic/2952/terraform-new-cloudron-vps-instances

                        You misunderstand - There is no possible way to fully encrypt EXT3/4 partitions AFTER linux is installed. AFAIK - there is no work around.

                        What you are asking for can only be done during OS install.

                        The only solution I can see here is "Home Folder Encryption" which would be enough here as Cloudron stores most of it's data in it's home folder right @girish ?

                        marcusquinnM Offline
                        marcusquinnM Offline
                        marcusquinn
                        wrote on last edited by
                        #19

                        @murgero Yeah, makes sense.

                        Web Design https://www.evergreen.je
                        Development https://brandlight.org
                        Life https://marcusquinn.com

                        1 Reply Last reply
                        0
                        • 32463 3246 referenced this topic on
                        • girishG girish referenced this topic on
                        Reply
                        • Reply as topic
                        Log in to reply
                        • Oldest to Newest
                        • Newest to Oldest
                        • Most Votes


                        • Login

                        • Don't have an account? Register

                        • Login or register to search.
                        • First post
                          Last post
                        0
                        • Categories
                        • Recent
                        • Tags
                        • Popular
                        • Bookmarks
                        • Search