I would like to protect the data on my backup system, in case it gets (physically) stolen. I would encrypt the hard drives where the data resides.
Since the backup system typically acts non-interactive (wake-on-lan and rsync/ssh), I would like to avoid entering a password each time it gets booted.
What could be a suitable way to achieve this?
I think I would need to have a keyfile that unlocks the encrypted drive, which does not reside on the backup system itself (unless it is fully encrypted, with the same boot/password problem).
Are there any common strategies for this?
I thought about having the keyfile stored on a 2nd machine on the local network that is running 24/7 (such as RaspberryPi), and is either fully encrypted or is standing in a different room. The backup system would mount the remote filesystem with the keyfile on it. Any drawbacks for this?
The other ‘solution’ I thought of would be to not fully shutdown the backup machine after copying data, but just suspend it – which requires just occasionally entering a password.