I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
Yes, and for the life of me I don’t understand why there isn’t a default LUKS with hibernate partition in the Debian installer.
I encrypt my laptop and desktops and I think it’s worth it. I regret encrypting my servers because they need passwords to turn on. I couldn’t figure out how to handle it when away.
Do your servers have TPM? Clevis might be the way to go; I use it on my Thinkpad and it makes my life easy. If the servers don’t have TPM, Clevis also supports this weird thing called Tang, which from what I can tell basically assures that the servers can only be automatically decrypted on your local network. If Clevis fails, you can have it fall back to letting you enter the LVM password.
I have not tried any of those three things: TPM, Clevis, or Tang. Thanks for recommending.
I tried to setup a keyfile on /, /boot, and /root.
I tried a keyfile on a usb
I also tried to use dropbear to allow ssh unlock.
Sadly these didn’t work and drove me crazy for two nights.
Cryptab should help.
I tried it. Wonder if I was doing something dumb…
Did you get it working, if your boot is encrypted (I think) then I think you may have a hard time. Its been about 7 years since I did it. But you can have fstab and crypttab setup to pass the password.
Any tips?
Servers are harder and not preconfigued if you want unattended boot. The first key has to come from somewhere typically to unlock the root partition. The other keys can then be stored on that encrypted partition and are typically referenced by crypttab for auto unlock.
The first key can come from anywhere you want such as attached media like a flash drive, a over the network say via ssh, from a key server, or from the TPM. Or you could remotely connect to the console. There are bunch of how tos out there. It amounts to customizing the boot process and the initramfs. It is not simple. What makes sense depends on the threat model.
With initramfs and dropbear you can make the password prompt accessible over ssh, so you can enter the password from anywhere.
Edit: For debian it is something like
- install dropbear
- configure dropbear for initramfs
- generate key pair
- generate initramfs
- You are done.
I used to, but then I nuked my install accidentally and I couldn’t recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I’ve resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
Your recovery problem was a backup issue not an encryption issue. Consider addressing the backup issue.
I have and I’ve concluded that I’m not made of money and therefore can’t afford to have multiple terabyte drives just lying around with redundant data just in case.
If I could afford it, then I wouldn’t have been resizing my ‘/’ partition to free up 80GB of space.
I use encryption on laptops, because they can be stolen in the train, bus, etc. On work desktop, I do so as well, because there are many people around. However, on everything that stay at home, I prefer not to use it to simplifiy things and get more performance.
I don’t even know how to do it
Tick a box when installing some distros. Like OoenSUSE.
Never got it when installing Ubuntu. Any way of enabling it after install?
I dont believe it is possible to do after install
…well, technically, yes.
If you are well-versed in the guts of the distro (grub, /etc/fstab, /etc/crypttab…), and have extra space, you could spend part of your weekend shifting partitions around and moving everything to the encrypted side, and eventually re-configuring your install and removing the old part. (Oh and don’t forget to chown your /home data if you have multiple users.) I’ve been there, it’s not fun. It’s fun[tm]. It’s just far easier and less error prone to re-install if you can.
(Yeah, I’m stretching the definition of “enabling it” reeealy thin here… 🙃 )
I mean yes… but realistically no. Also the risk of data loss at that point is high. you will miss things. the best approach would be to make a proper backup reinstall and put the data back.
Because it requires generating, memorizing and entering a secure password. Because Linux typically doesn’t support fingerprint readers or other biometrics.
You can just store the key in your TPM and then you don’t have to memorize anything.
I don’t but admittedly I don’t do much stuff on my laptop that’s super secure. it’s mainly for gaming and the odd programming project.
I don’t have FDE (BitLocker) enabled on my Windows 11 gaming PC. It sits in my house and has nothing on it but video games and video game related shit. I don’t even have my password manager installed for logging in to Steam, GoG or whatever other launcher. I manually type passwords in from the vault on my phone if the app doesn’t support QR code login like discord. Also I paid for this ridiculous m.2 nvme drive, I’m not going to just give up iops bc i want my game install files encrypted.
I don’t use FDE on my NAS. Again it doesn’t leave my house. I probably should I guess, bc there is some stuff on there that would cause me to have industry certs revoked if they leaked, but idk I don’t. Everything irreplaceable is backed up off site, but the down time it would take to rebuild my pirated media libraries from scratch vs just swapping disks and rebuilding has me leery.
I have FDE enabled on both my MacBooks. They leave the house with me, it seems to make sense.
I don’t use FDE on Linux VMs I create on the MacBooks, the disk is already encrypted.
My iphone doesn’t have the option to not use FDE I don’t think.
I use encrypted rsync backups to store NAS stuff in the cloud. I use a PGP key on my yubikey to further encrypt specific files on my MacBooks as required beyond the general FDE.
Yes. Encrypting your entire hard drive has basically been a tickbox in the Fedora installer for a long time now. No reason why I wouldn’t do it. It’s, easy, doesn’t give me any problems and improves my devices security with defence-in-depth. No brainer.
Mostly I don’t, but I want to start to. I only have one laptop encrypted and of course I keep my phones encrypted.
No need as none of them are networked
Do you physically crush and grind your drives once they are end-of-life?
I usually degauss them
SSDs?
Haven’t had one of those fail yet
I don’t for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.
Give her and your personal representatives the keys or access to the keys. Problem solved.
Same problem as you passwords and password manager.
BioMyth
I understand that giving the keys can partially solve the access problem. But she would still possibly be unable to use the device. Additionally, I don’t know that she would be capable of using the keys without additional assistance and we don’t have other techies in our community who could step up in that capacity.
I get it. Credential storage and recovery is a big issue. People vary in skill, ability to keep track of keys or remember how to use them, and they may not have a password manager, safe deposite box, or other locked storage to store them in.
If that’s the only reason, it’s not a great one. You could solve it by storing the password with your important documents.
I don’t encrypt my entire drive, but I do have encrypted directories for my sensitive data. If I did encrypt an entire drive, it would only be the drive containing my data not the system drive.
but I do have encrypted directories for my sensitive data
What do you use for encrypted directories? Ecryptfs?
I use Linux and it’s built in to my desktop environment. I just create a new vault.
Every endpoint device I use is using full disk encryption, yes.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros’ repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
(Note: Anything I say could be B.S. I could be completely misunderstanding this.)
Clevis isn’t too difficult to set up - Arch Wiki documents the process really well. I’ve found it works better with dracut that mkinitcpio.
As for PCR registers (which I haven’t set up yet but should), what I can tell, it sets the hash of the boot partition and UEFI settings in the TPM PCR register so it can check for tampering on the unencrypted boot partition and refuse to give the decryption keys if it does. That way, someone can’t doctor your boot partition and say, put the keys on a flash drive - I think they’d have to totally lobotomize your machine’s hardware to do it, which only someone who has both stolen your device and has the means/budget to do that would do.
You do need to make sure these registers are updated every kernel update, or else you’ll have to manually enter the LUKS password the next boot and update it then. I’m wondering if there’s a hook I can set up where every time the boot partition is updated, it updates PCR registers.
