The idea is provide a User remote access to a block-level device, which can be formatted and encrypted locally. So, a server won’t have encryption keys.
Throughput won’t be great, but hopes it will exceed 1 MiB/s which should be enough for most kinds of sensitive data.
Candidates for a block-level storage:
- NBD (Network Block Device)
- iSCSI
Authentication/authorization:
- NBD seems to support some kind of TLS authentication/authorization.
Over-ssh variant example: GitHub - gavinhungry/ragnar: Mount an existing remote LUKS device with NBD over SSH.