I am investigating different options in order to upgrade my private server.
My main concern is defending against a threat model where an attacker breaks in phisically and wants to access the server data .
I understand that there will be parts that are stored encrypted such as password manager files or backups, but what about the rest for example files on a nextcloud server that need to be synchronized?
Is there any protection against this threat?
Does start9 support LUKS-style volume encryption?
What protection is there against physical access when data is not at rest?
Anyone who takes physical possession of your server, encrypted or otherwise, you have to assume they’ll have access to the data eventually. This is stand practice in modelling threats.
Protection against theft is probably outside the scope of what I can offer advice for, especially as you seem to suggest some kind of holding you hostage to get your data (in which case wouldn’t you just offer up your password rather than die anyway??) For simple robbery, perhaps I could recommend a server safe.
That said, the data on the drive of a StartOS machine is rudimentally protected, a layperson would probably wipe the drive and reuse rather than try to work it up, whereas someone who knows how StartOS would would get in pretty easily. As you say, Vaultwarden is encrypted yet again, whereas Nextcloud is not, they’d be able to access your files.
To add a little detail to this conversation, data on your Nextcloud service can also be protected.
It is not on by default, but you can go into the Nextcliud administration setting and under “Security” activate the option for server side encryption.
