Too late! The power of @-mentions compels me!
Yes, the default way of doing full-disk encryption means you’re entering a passphrase at the console on every reboot. For servers, that’s somewhere between annoying and a showstopper, depending on factors like whether you have access to the console during boot (via IPMI or in a VM), what your uptime requirements are, how often unexpected reboots happen, and the probable delay between someone noticing the unexpected reboot has happened (coughmonitoringcough) and being able to enter the passphrase.
The “access to the console” problem can be ameliorated by installing the dropbear-initramfs
package; it provides a minimal SSH server available before the system is booted, so you can SSH in and enter the unlock passphrase. It doesn’t solve any of the other problems, though. The other way around this problem is to not encrypt the root filesystem, but only the data filesystems; that requires you to partition appropriately, and script the unlock/mount sequence yourself. It is, however, a viable alternative if you’re not running a distro with dropbear-initramfs
or equivalent available.
If you’re running a larger cluster, you can avoid the downtime problems of delayed unlock with proper replication and high availability. Basically, if your setup could withstand a machine just up and dying (not a crash-and-needs-a-reboot, but “catches fire”-grade failure) without impacting availability, then it taking a few hours for someone to login and enter a passphrase isn’t going to be a problem either.
Another way to avoid the passphrase problem in a larger cluster is to run something like Mandos, where machines provide each other the unlock passphrase at boot. It’s not as secure as manual entry, but it guards against all but the most determined of deliberate attacks (that FDE would otherwise guard against; ie offline attacks).
Finally, the gold standard holy grail of FDE is to use the TPM (if the machine has one) to store the unlock passphrase. In order to do that properly, though, you need to fully enable secure boot (with all its attendant complexity and risks), because it’s a bit pointless to use the TPM to store the passphrase if an attacker could just ask it nicely to cough up the creds.
Security is hard. Let’s go debugging!