I'm planning a homemade NAS-build with the following features:
- Standard Ubuntu server installation with SSH server
- Two Btrfs RAID1 drives on encrypted HDDs with dm-crypt
- NFS shared folders from within the Btrfs RAID
- Headless/limbless: Box sits in a corner without any display or peripherals
The idea is to have a redundant and checksummed network storage that is encrypted, so no personal data can be read in case it got stolen.
The problem I'm expecting is that if the system needs to be restarted (because of power outage or a kernel update), I can't manually unlock the drives on boot, because there is no video/keyboard attached. That means that the drives can't be decrypted and the Btrfs RAID is not opened on boot, which means no NFS share is available.
Has anybody attempted this and what is the best way to unlock the drives?
Is there a way to load SSH so early to be able to enter the drive unlock key on another system?
I also thought about using a keyfile in an dm-crypt keyslot, but that would be a huge security hit, because a potential thief can just retrieve it or boot the system as it is then.
