I use NBD for my single-user NAS. You can use FDE (full disk encryption, luks) client-side.

The system managing the physical block devices never sees unencrypted data.

Such a setup shines when you use a laptop as your main machine and wish to have a lot of secure storage. The approach I chose was to bond ethernet & wifi6e, use wireguard (w/ PSK). And wonder the house with uninterrupted access.

codethief

This sounds really interesting, as in: It's the thing I didn't know I've been looking for because I didn't know it existed.

Could you elaborate on your NBD setup? (What do you use for the server?) And what kind of latencies do you see when you're at home / not at home? How do you handle backups? (Do you back up the encrypted blob server-side or do you back up the unencrypted data client-side, at the cost of having to deal with (probably) limited bandwidth & latencies.)

coppsilgold

I just use nbd-server, nbd-client (kernel module nbd). While at home things are fine, when not at home things can get bad unless you use something like UDPspeeder <https://github.com/wangyu-/UDPspeeder> then you just need to deal with slower speeds.

I do backups with borg while connected to the NAS with ethernet.