Daniel LakelandSep 30, 2025

I've got a number of older hard drives I'd like to destroy to the point where ordinary effort by someone like me makes them unreadable. I tried drilling a hole through one of them, and it worked, but it was surprisingly hard to do, the hard drive case is I guess fairly hard steel.

I'm thinking I should probably do encrypted drives from now on. The time cost to wipe drives by writing random data is in the hours and hours now.

Show threadDaniel LakelandSep 30, 2025
anyway, anyone have a favorite safe and relatively quick way to destroy 3.5 inch hard drives?
Show threadDaniel Lakeland
Also, is there an easy linux scheme where you have a small partition with the encryption keys and the rest of the partitions are encrypted, and the system can boot without someone at the keyboard to type a password, but you can render the drive useless by overwriting random data on the 10MB key partition or whatever? I'm sure this is doable, but is there a system that makes it easy?
Sep 30, 2025 at 6:44pmWeb
Show threadDaniel LakelandSep 30, 2025
I mostly know about LUKS, but what I know requires you to type a passphrase on boot. so I want something that doesn't do that so when power goes out and my machine reboots on its own it boots up using the stored key, and then I can easily wipe the key if desired.
Show threadJulio J. 🀲Sep 30, 2025

@dlakelan you can use LUKS with a key file instead of a passphrase, that should do what you want (if I'm understanding correctly)

https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Unlocking_with_a_keyfile

dm-crypt/System configuration - ArchWiki

Show threadDaniel LakelandSep 30, 2025

@j3j5

Can you do it at boot though? Like, / is encrypted and an initramfs knows to mount the /keys partition and grab the keyfiles there?

Show threadJulio J. 🀲Sep 30, 2025
@dlakelan I guess...I've never done it. On my current setup I have / encrypted with a passphrase and then inside, I have keyfile that unlocks /home afterwards. I guess if you store the keys on /boot or other accessible filesystem it should work, but I've never done it myself.
Show threadDaniel LakelandSep 30, 2025

@j3j5

It's probably good enough for me to do /home on an encrypted partition and have / mount /keys and use that for keyfiles for /home. You don't learn much by knowing what software I've installed on /

Show threadslateySep 30, 2025

@dlakelan

For manual control and maximum security on a few systems, use Method 1 (Dropbear SSH). It is reliable and simple to set up.
For a fleet of servers that require automatic reboots, Method 2 (NBDE with Clevis/Tang) is the best choice, offering a centrally managed and automated solution.
If your server has the necessary hardware and you need fully automated reboots without network dependency, Method 3 (TPM) offers a highly secure and convenient option.

Show threadAlexey AbramovSep 30, 2025

@dlakelan I haven't tried this

https://docs.nitrokey.com/nitrokeys/features/openpgp-card/hard-disk-encryption/luks

Full-Disk Encryption With cryptsetup/LUKS - Nitrokey Documentation