LUKS secure automated decryption

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I have critical data, let's say machine learning code, GPG keys,... etc.



I would like to create a workstation that will work somewhere else- in someone else's premises.



I don't have concern that someone may try to hack the running computer. Instead, I don't want someone to steal the disk drive and the data stored on that disk drive.



Tutorials like this one guided me to setup a password for protection, but let's say that the place happens to have frequent power outages -- I will not be bothered to provide the password each time the PC reboots.



One solution I found, but it is a quite hard to implement, is LUKS that takes the key from TPM, but I have TPM2.0 which complicates things.



Would you please advice? Is it possible to decrypt LUKS (or a disk encrypted differently) non-interactively, during boot, keeping keys/password/code secure?










share|improve this question























  • Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
    – frostschutz
    Sep 13 at 13:21











  • You may go with this approach: unix.stackexchange.com/q/5017/171196
    – muhammad
    Sep 13 at 13:46














up vote
1
down vote

favorite












I have critical data, let's say machine learning code, GPG keys,... etc.



I would like to create a workstation that will work somewhere else- in someone else's premises.



I don't have concern that someone may try to hack the running computer. Instead, I don't want someone to steal the disk drive and the data stored on that disk drive.



Tutorials like this one guided me to setup a password for protection, but let's say that the place happens to have frequent power outages -- I will not be bothered to provide the password each time the PC reboots.



One solution I found, but it is a quite hard to implement, is LUKS that takes the key from TPM, but I have TPM2.0 which complicates things.



Would you please advice? Is it possible to decrypt LUKS (or a disk encrypted differently) non-interactively, during boot, keeping keys/password/code secure?










share|improve this question























  • Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
    – frostschutz
    Sep 13 at 13:21











  • You may go with this approach: unix.stackexchange.com/q/5017/171196
    – muhammad
    Sep 13 at 13:46












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have critical data, let's say machine learning code, GPG keys,... etc.



I would like to create a workstation that will work somewhere else- in someone else's premises.



I don't have concern that someone may try to hack the running computer. Instead, I don't want someone to steal the disk drive and the data stored on that disk drive.



Tutorials like this one guided me to setup a password for protection, but let's say that the place happens to have frequent power outages -- I will not be bothered to provide the password each time the PC reboots.



One solution I found, but it is a quite hard to implement, is LUKS that takes the key from TPM, but I have TPM2.0 which complicates things.



Would you please advice? Is it possible to decrypt LUKS (or a disk encrypted differently) non-interactively, during boot, keeping keys/password/code secure?










share|improve this question















I have critical data, let's say machine learning code, GPG keys,... etc.



I would like to create a workstation that will work somewhere else- in someone else's premises.



I don't have concern that someone may try to hack the running computer. Instead, I don't want someone to steal the disk drive and the data stored on that disk drive.



Tutorials like this one guided me to setup a password for protection, but let's say that the place happens to have frequent power outages -- I will not be bothered to provide the password each time the PC reboots.



One solution I found, but it is a quite hard to implement, is LUKS that takes the key from TPM, but I have TPM2.0 which complicates things.



Would you please advice? Is it possible to decrypt LUKS (or a disk encrypted differently) non-interactively, during boot, keeping keys/password/code secure?







security luks cryptography






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 13 at 13:26









Goro

5,47052460




5,47052460










asked Sep 13 at 13:03









Kamil

4291516




4291516











  • Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
    – frostschutz
    Sep 13 at 13:21











  • You may go with this approach: unix.stackexchange.com/q/5017/171196
    – muhammad
    Sep 13 at 13:46
















  • Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
    – frostschutz
    Sep 13 at 13:21











  • You may go with this approach: unix.stackexchange.com/q/5017/171196
    – muhammad
    Sep 13 at 13:46















Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
– frostschutz
Sep 13 at 13:21





Gentoo Wiki - Self-Decrypting Server (Archlinux) but calling it secure is a bit of a stretch.
– frostschutz
Sep 13 at 13:21













You may go with this approach: unix.stackexchange.com/q/5017/171196
– muhammad
Sep 13 at 13:46




You may go with this approach: unix.stackexchange.com/q/5017/171196
– muhammad
Sep 13 at 13:46















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468792%2fluks-secure-automated-decryption%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468792%2fluks-secure-automated-decryption%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?