I’m trying to build a headless server that has sensitive data on it and needs full disk encryption. I want it protected from physical theft and as far as I can brainstorm, that means at boot, the storage has to be unlocked manually. I know I can do this with remote access through remote console IPMI board but was wondering if I’ve just missed a way to solve this problem without using extra hardware. Have any of you homelabbers dealt with this problem set without using IPMI cards?
I do this with ZFS using a Keyfile and a script that runs at boot to unlock/mount.
I put the keyfiles on a USB drive. (Make sure you have backups!) This USB drive is hidden, I won’t go into details on how I did that, several ways to do that, you can get pretty creative.
If someone steals my server, they need to know where I hid my USB, or they won’t be able to get to any of the encrypted datasets.