I’d encrypt all disks.
Nevertheless, it covers my ass when they retire the server after I used it.
Good point. How do you unlock the disk at boot time? dropbear-initramfs and enter the passphrase manually every time it boots? Unencrypted /boot/ and store the decryption key in plaintext there?
I run openbsd on all my servers so I would be entering the passphrase manually at boot time. Saving the key on unencrypted /boot is basically locking your door and leaving the key on it :)
Good point. How do you unlock the disk at boot time? dropbear-initramfs and enter the passphrase manually every time it boots? Unencrypted
/boot/and store the decryption key in plaintext there?I run openbsd on all my servers so I would be entering the passphrase manually at boot time. Saving the key on unencrypted
/bootis basically locking your door and leaving the key on it :)