I have luks set up on my server and it is kind of annoying to type the password at reboots (mostly power outages). Strictly speaking I do not need the luks, but I feel its good to have anyway. I was thinking of getting a yubikey and just leaving it on or at least telling a trusted family member where to get it and to plug it in when turning it on.
Has anyone over come a similar set up or issue?
For some clarity I am not a pro and the homelabing is mostly just a learning experience for me.
I do for work but not for my self hosting operation, I don’t think it makes sense at least in my case. My recommendation is not to use full disk encryption on a home server, but to encypt specific directories as needed (I use fscrypt on an ext4 file system).
Sounds like all you need is an Ext4 USB drive with a LUKS key on it. Then add a kernel parameter like rd.luks.key=UUID=/.keys/TheKey:LABEL=KEYS-timeout=10s in GRUB and it’ll autoboot.
Pull the key and power down and you’re back to normal. I use it in a low threat model environment so I can hit reboot and go get a coffee and come back to a DE.
I use it for work stuff so I don’t have to cross contaminate devices or apps
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters Git Popular version control system, primarily for code IP Internet Protocol SSH Secure Shell for remote terminal access VPS Virtual Private Server (opposed to shared hosting)
4 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.
[Thread #289 for this comm, first seen 15th May 2026, 00:40] [FAQ] [Full list] [Contact] [Source code]
I have a VPS which hosts some stuff and I just e2ee all the data. Syncthing sync is e2ee and Joplin sync is e2ee. But lots of services don’t support e2ee, or e2ee gets in the way of UX and nice features so we make a tradeoff.
As for LUKS, I guess a good solution is to have a VPS or public device somewhere that shares the encryption key with the server (but only after it gives the correct password) but only to the correct IP address of your server.
The router solution someone mentioned below is similar.
I don’t see the point, because if someone steals your server, they’ve stolen the key too.
Perhaps set up ssh unlock? Plenty of decent guides out there.
I use a yubikey on my laptop, but I use it to make it even harder to log in. It’s set to challenge-response so you have to have the key in and enter a password to unlock LUKS. Bit overkill but it was more just to see if I could do it lol
I dream of being this hardcore
Perhaps set up ssh unlock? Plenty of decent guides out there
Do you do this with separate machine?
I’ve set this up although I can’t post the exact steps since it’s been so long ago. Here’s a summary.
Have a machine on the same network as the server. Setup dropbear-initramfs on your server to have a SSH server enabled on the luks unlock screen. You’ll have to set the SSH login command to unlock luks in authorized_keys. Then when you need to unlock your server from boot, use ssh with the -J option to jump to the server. Important here: use the local server ip address with respect to the secondary machine. e.g. ssh 192.168.1.1 -J secondary
In that example, 192.168.1.1 is your server address accessible from your secondary machine.
You can unlock remotely through this as well. I’ve setup Tailscale and can unlock my server when I need to reboot for kernel upgrades.
Yes, phone, desktop, laptop, whatever’s handy.
I have one I use for a luks partition. Mostly just to see if I could. It was pretty easy to set up.
I use yubikey for ssh access mostly (setting it and GPG signatures with unextractable key was fun and messy). Moving secret key across machines became quite easy to do in a secure manner. I was thinking about making it boot key for my portable laptop, but ended up just having throwaway policy about its contents and relatively weak encryption passwords not worth bruteforcing. Losing a key to a laptop that could be lost itself on the other hand sounds like quite a shame. With stationary server, I don’t know, I feel like anything more complicated then a power switch that could be operated with physical access IMO does not provide extra security because - yubikey left in a rack is just as hard to push as power button.
Also make sure you have more than one, they could easily break, be lost, or eaten by a dog named Kubernetes. Seriously, I had friends who neglected this advise and got in a mess.
It’s not like I’m a fan of yubikeys, I just happened to get quite a lot of them on one of a gigs I was doing and had to come up with sensible uses. Well, signing git commits and other gpg stuff was not sensible.
I made a systems service that mounts a temp file from my ftp server (inside internet router) and that file is being used to unlock disks during boot. When it’s gone it would ask for password.
The vector is that someone steals my server while keeping the router in place. That’s my bet on what would happen if someone breaks into our flat.
The vector is that someone steals my server while keeping the router in place.
What does this part mean?
is internet router some kind of software or you mean your physical router?
They run the FTP server on the router, hosting the password file.
I have not used a yubikey for boot stuff as you describe, I am a fan in general though.
That said, I have a setup on my servers where there is full disk encryption and a password stored on a random file in a thumb drive or SD card of each machine. If the file / drive is removed I can always type a manual password as well to complete booting. And if I need to do a clean wipe I just delete the keys or intentionally corrupt that sector of the drive, instead of having to do forensic cleaning.
I’ve been mulling over this very idea for years, but I just haven’t gotten around to putting it into practice. Could you tell me how it works for you?
I recently finished setting this up on my system after having a plan to do it for years beforehand and never following through. It turned out to be quite a bit easier than I thought; LUKS has built-in support for keyfiles, so all you have to do is add the keyfile as a valid key for your disk, then modify the mount options to use the keyfile by default. There’s a dedicated option to fail over to password-based authentication as well.
have a setup on my servers where there is full disk encryption and a password stored on a random file in a thumb drive or SD card of each machine.
The wagie in me likes this. Was it particularly difficult to set?
Not at all. Pretty sure I got the instructions from Arch wiki, typical passfile setup just a slightly unusual path
