I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
My issue is that I can never remember “a couple more commands” for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros’ repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
(Note: Anything I say could be B.S. I could be completely misunderstanding this.)
Clevis isn’t too difficult to set up - Arch Wiki documents the process really well. I’ve found it works better with dracut that mkinitcpio.
As for PCR registers (which I haven’t set up yet but should), what I can tell, it sets the hash of the boot partition and UEFI settings in the TPM PCR register so it can check for tampering on the unencrypted boot partition and refuse to give the decryption keys if it does. That way, someone can’t doctor your boot partition and say, put the keys on a flash drive - I think they’d have to totally lobotomize your machine’s hardware to do it, which only someone who has both stolen your device and has the means/budget to do that would do.
You do need to make sure these registers are updated every kernel update, or else you’ll have to manually enter the LUKS password the next boot and update it then. I’m wondering if there’s a hook I can set up where every time the boot partition is updated, it updates PCR registers.
I don’t wanna risk losing anything on the drive thats important .
That is a good reason to backup, but has nothing to do with encryption.
That is a good reason to backup
This is true.
but has nothing to do with encryption.
I disagree with this. If you forget the password for decrypting your drive, then you will have lost “anything on the drive that’s important”. I know because it happened to me long ago, and so now I too have been wary of disk encryption ever since then.
Encryption and backup are orthogonal domains. If you don’t understand why, I’m sure you’re not going to take a random strangers’ opinion on the subject.
Mind expanding just a bit through? IMHO it’s not orthogonal in the sense that either your backups are :
- unencrypted and thus your is are safe (you have copies you can access despite losing your keys) but not secure (someone else can read the content too)
- encrypted and thus your data is NOT safe if you lose your keys but secure
Isn’t it?
I meant if I lose my encryption key I lose the data on the disk.
That is a good reason to backup, but has nothing to do with encryption.
(For real though I have a backup of all of my drive LUKS headers stored on several media types on and off site.)
How would backing up help with that, though, assuming the backups are also encrypted?
I meant if I lose my encryption key I lose the data on the disk.
If they lose the key they lose the data in the backups, too. So that concern is not a good reason to backup, in my eyes.
Then, if the backups are not encrypted, then doesn’t that undermine the value of encrypting your drive/user data partition in the first place?
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: “mary beach rodeo” or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
mary beach rodeo
thank you for sharing your password 😜
Maybe I might try this, and am open to advice :)
I don’t think I encrypt my drives and the main reason is it’s usually not a one-click process. I’m also not sure of the benefits from a personal perspective. If the government gets my drives I assume they’ll crack it in no time. If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway. So I’m assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
A big benefit of encryption is that if your stuff is stolen, it adds a lot of time for you to change passwords and invalidate any signed in accounts, email credentials, login sessions, etc.
This is true even if a sophisticated person steals the computer. If you leave it wide open then they can go right in and copy your cookies, logins, and passwords way faster. But if it’s encrypted, they need to plug your drive into their system and try to crack your stuff, which takes decent time to set up. And the cracking itself, even if it takes only hours, would be even more time you can use to secure your online accounts.
On Linux, my installs always had a checkbox plus a password form for the encryption.
I think this is true for computers that are in danger of being stolen. Laptops or PCs in dorms or other shared living spaces. But I live in a relatively secure area, burglaries are very rare and my PC never leaves the building. So the benefits of encryption are pretty much negligible.
What are the downsides to encryption? Though you may have negligible benefits, if there are also negligible downsides then the more secure option should be chosen.
- The LUKS encryption can get corrupted
- The password may be forgotten
- harddrives can be corrupted, too. That’s where backups come in
- True, though one could use a security key or password manager to overcome that, or setup secure boot/TPM to where a password isn’t actually needed. If all else fails, again, backups.
So when the laptop dies, the disk cannot be read anywhere because the tpm is lost?
Correct, the hard disk in the laptop can not be read. This is where having a good backup strategy is important. Similar to how if your hard disk dies you’re no longer able to access the material on the hard disk. For me, the downsides of encryption do not outweigh the benefits of having my data secure.
I enabled full disk encryption during OS installation, set up a secure passphrase, and then set up automated encrypted backups to my home server, which are automatically backed up to a remote server.
I gain peace of mind in knowing that if my laptop is stolen I’m only out the cost of the laptop, the data within is still safe and secure.
GNOME disks is a nice GUI that lets you setup disks with ease. Encryption can be easily setup with it.
is it’s usually not a one-click process
It is, these days. Ubuntu and Fedora, for example. But you still have to select it or it won’t happen. PopOS, being explicitly designed for laptops, has it by default.
If the government gets my drives I assume they’ll crack it in no time.
Depends on your passphrase. If you follow best practice and go with, say, a 25-character passphrase made up of obscure dictionary words, then no, even a state will not be cracking it quickly at all.
If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway.
Exactly. This is the weak link of disk encryption. You usually need to turn off the machine, i.e. lose the key from memory, in order to get the full benefits. A couple of consolations: (1) In an emergency, you at least have the option of locking it down; just turn it off - even a hard shutdown will do. (2) As you say, only a sophisticated attacker, like the police, will have the skills to break open your screenlocked machine while avoiding any shutdown or reboot.
Another, less obvious, reason for encrypting: it means you can sell the drive, or laptop, without having to wipe it. Encrypted data is inaccessible, by definition.
Encryption of personal data should be the default everywhere. Period.
Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.
It is a one click process if you use user friendly distros
Asahi Linux doesn’t support encryption and getting it to work requires a lot of steps and that I reinstall it which I don’t have time for, so I don’t have it enabled on my laptop, and if it gets stolen or confiscated I’m fucked.
I have it enabled on my server and phone.
@sudoer777 @monovergent , create an encrypted container? It’s a little tedious, but fairly distro agnostic.
Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.
Yes. I have sensitive info in my PC (work credentials) and in the case of a break-in, last thing I want is to jeopardize my job.
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I’m going to be travelling.
Exactly the same rationale as mine.
Yep. Everything except my server, which needs to be able to boot without my help. Because why not? I rarely ever reboot anything, so it doesn’t really hurt, and if anyone steals my shit they won’t get my wife’s noods.
No, I don’t encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don’t have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
I do encrypt my drives, and it’s not as transparent in Linux as it is in the others. I’m sure I could get a TPM setup for seamless boots, but I haven’t done that yet.
For mobile drivers, I still encrypt, but that locks them to one OS since LUKS isn’t cross platform. There is VeraCrypt for cross-platform encryption, but that’s one more thing to manage and install.
I do on all my devices that can as a matter of practice, not for any real threat. I’m interested to learn about how to set it up and use it on a daily basis including how to do system recoveries. I guess it’s largely academic.
Once I switched to linux as my daily driver, I didn’t have a need to do piracy anymore since all the software I need is FOSS.
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.
If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.
They don’t need to guess the password. If you don’t have full disk encryption I can just run another is in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file
oh no, if they changed the password and I got it back somehow, I could finally have an excuse to try out mint.
Every endpoint device I use is using full disk encryption, yes.
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
