I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.
If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.
They don’t need to guess the password. If you don’t have full disk encryption I can just run another is in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file
oh no, if they changed the password and I got it back somehow, I could finally have an excuse to try out mint.
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
Most mobile/laptop devices should be encrypted by default. They are too prone to loss or theft. Even that isn’t sufficient with border crossings where you are probably better off wiping them or leaving them behind.
My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.
I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptiom for my circumstances. Encrypting Linux packages and steam libraries doesn’t offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk. It adds overhead.and another point of failure for no real benefit.
Asahi Linux doesn’t support encryption and getting it to work requires a lot of steps and that I reinstall it which I don’t have time for, so I don’t have it enabled on my laptop, and if it gets stolen or confiscated I’m fucked.
I have it enabled on my server and phone.
@sudoer777 @monovergent , create an encrypted container? It’s a little tedious, but fairly distro agnostic.
Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.
My issue is that I can never remember “a couple more commands” for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.
No, I don’t encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don’t have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
I use encryption on laptops, because they can be stolen in the train, bus, etc. On work desktop, I do so as well, because there are many people around. However, on everything that stay at home, I prefer not to use it to simplifiy things and get more performance.
I don’t even know how to do it
Tick a box when installing some distros. Like OoenSUSE.
Never got it when installing Ubuntu. Any way of enabling it after install?
I dont believe it is possible to do after install
…well, technically, yes.
If you are well-versed in the guts of the distro (grub, /etc/fstab, /etc/crypttab…), and have extra space, you could spend part of your weekend shifting partitions around and moving everything to the encrypted side, and eventually re-configuring your install and removing the old part. (Oh and don’t forget to chown your /home data if you have multiple users.) I’ve been there, it’s not fun. It’s fun[tm]. It’s just far easier and less error prone to re-install if you can.
(Yeah, I’m stretching the definition of “enabling it” reeealy thin here… 🙃 )
I mean yes… but realistically no. Also the risk of data loss at that point is high. you will miss things. the best approach would be to make a proper backup reinstall and put the data back.
I would strongly encourage people to encrypt their on site data storage drives even if they never leave the house and theft isn’t a realistic thing that can happen.
The issue is hard drive malfunction. If a drive has sensitive data on it and malfunctions. It becomes very hard to destroy that data.
If that malfunctioning hard drive was encrypted you can simply toss it into an e-waste bin worry free. If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
If by heavy tools, you mean a screwdriver and an angle grinder, then yeah, but it’s not that hard in reality.
If your drive starts malfunctioning, then without encryption you might be able to read some sectors and recover a few things. With encryption you are SOL.
Great point.
I provided reasons why I encrypted my drives but this one is even better.
(Another one could be if you need to get your computer to a repair shop, and for some reason you can’t just remove the drive.)
I just encrypt devices that leave the house. I do have access to a hard drive crusher if I lose a drive (recently crushed a tablet that wouldn’t power on)
1 torx screwdriver 1 hammer
not the hardest thing to scratch up the platters and then fold them into abstract art
True. This does work. But it is less secure and much harder than just tossing an encrypted HDD into an e-waste bin. It probably is more fun though. 🤔
I don’t bother to take out the screws. I just drill handful of holes trough the whole thing. Or if you’re really paranoid a MAP torch is enough to melt the whole thing (don’t breath the smoke).
Every endpoint device I use is using full disk encryption, yes.
Had nosey cops trying to get into my phones illegally recently… do not understand people that dont encrypt shit
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
I don’t wanna risk losing anything on the drive thats important .
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: “mary beach rodeo” or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
Maybe I might try this, and am open to advice :)
mary beach rodeo
thank you for sharing your password 😜
That is a good reason to backup, but has nothing to do with encryption.
I meant if I lose my encryption key I lose the data on the disk.
That is a good reason to backup, but has nothing to do with encryption.
(For real though I have a backup of all of my drive LUKS headers stored on several media types on and off site.)
How would backing up help with that, though, assuming the backups are also encrypted?
I meant if I lose my encryption key I lose the data on the disk.
If they lose the key they lose the data in the backups, too. So that concern is not a good reason to backup, in my eyes.
Then, if the backups are not encrypted, then doesn’t that undermine the value of encrypting your drive/user data partition in the first place?
That is a good reason to backup
This is true.
but has nothing to do with encryption.
I disagree with this. If you forget the password for decrypting your drive, then you will have lost “anything on the drive that’s important”. I know because it happened to me long ago, and so now I too have been wary of disk encryption ever since then.
Encryption and backup are orthogonal domains. If you don’t understand why, I’m sure you’re not going to take a random strangers’ opinion on the subject.
Mind expanding just a bit through? IMHO it’s not orthogonal in the sense that either your backups are :
- unencrypted and thus your is are safe (you have copies you can access despite losing your keys) but not secure (someone else can read the content too)
- encrypted and thus your data is NOT safe if you lose your keys but secure
Isn’t it?
No. I break my system occasionally and then it’s a hassle.
This is one of those moments where “skill issue” fully applies 😁
Keep learning, friend, I’ve been there and Linux is a journey
