[Samba] LUKS (disk encryption) and samba shares --no issue, just want advice.

John Ericsson zendal.darkman at gmail.com
Tue May 10 17:06:50 UTC 2022

We have been audited and failed :-(
We need to have disk encryption *at rest* on all devices holding personal
data, including our samba servers.

We have two disk (one for OS (/) and one mounted for the shares (eg /samba))
All the shares under  /samba must be encrypted.

We can either encrypt the OS and mount "/samba" with a decryption password.
So on startup we get a prompt before it properly  boots and that decrypts
the OS, and in turn the decryption password will be stored within "/" and
used to decrypt "/samba".

Alternatively we only encrypt the  /samba. disk, and we have to SSH into
the server and manually type in the password every time it reboots (that is
not an issue for us). However of course on startup samba will try to shares
files that are not yet decrypted.

Any thoughts?

More information about the samba mailing list