I am contemplating adding encryption to my OOMV-based NAS and I am trying to understand what the best practices are.
I am rather a newbie when it comes to encryption in Linux so please forgive this question if it has already been discussed.
I have read a number of threads about LUKS however I struggle to find information about what types of encryption are available (i.e. passphrase, key file, etc.) and where these can be stored (i.e. must be provided at boot, on file system, etc.).
What I would love to achieve is a setup whereby if a USB key with a decryption key is plugged into the server, then all the data drives can be decrypted, otherwise, if this USB key is removed the data should not be accessible.
Is this possible?
As an additional security measure, I would love to be able to have all the data wiped after N-attempts (let's say 3) to boot the system without the decryption key inserted.
Is this something achievable?
Would this idea, of storing the decryption key in a USB drive, be an overkill and would perhaps a passphrase suffice instead?
Supposing this is the case, and therefore supposing a passphrase would be enough, would the encryption "safety" depend on the length of the passphrase itself or would a 24-character passphrase be as safe as a 48-character passphrase?