I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
I encrypt all my drives. Me and the people I know get occasionally raided by the police. Plus I guess also provides protection for nosy civilians who get their hands on my devices. Unlike most security measures, there is hardly any downside to encrypting your drives—a minor performance hit, not noticeable on modern hardware, and having to type in a password upon boot, which you normally have to do anyway.
Where do you live that you’re getting raided by the police? This sounds like one of those situations where they might use the wrench technique.
I don’t want to say where I live for anonymity reasons, but I will note that it’s fairly standard for political dissidents to be raided by any government so it doesn’t actually particularly narrow down my location.
What’s the wrench technique?
Ah lol sure. It depends on what level of state repression you’re looking at. Regular cops will just not bother trying to decrypt a drive if they don’t have the password and you don’t freely give it up (you have the right to refuse to provide a password here, it’s under the same kind of principle as having the right to not incriminate yourself), but I’m sure military intelligence etc will go to the wrench technique. Also deniable encryption for anything particularly sensitive is good for the old wrench technique.
For my laptop, yeah. I rarely actually use it though. For my desktop not so much. I really don’t keep that much personal information on it to begin with, and if someone breaks into my house they could probably get more by stealing the desk my computer is sitting on then by stealing the computer. It just feels like a silly thing to waste my time with.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros’ repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
(Note: Anything I say could be B.S. I could be completely misunderstanding this.)
Clevis isn’t too difficult to set up - Arch Wiki documents the process really well. I’ve found it works better with dracut that mkinitcpio.
As for PCR registers (which I haven’t set up yet but should), what I can tell, it sets the hash of the boot partition and UEFI settings in the TPM PCR register so it can check for tampering on the unencrypted boot partition and refuse to give the decryption keys if it does. That way, someone can’t doctor your boot partition and say, put the keys on a flash drive - I think they’d have to totally lobotomize your machine’s hardware to do it, which only someone who has both stolen your device and has the means/budget to do that would do.
You do need to make sure these registers are updated every kernel update, or else you’ll have to manually enter the LUKS password the next boot and update it then. I’m wondering if there’s a hook I can set up where every time the boot partition is updated, it updates PCR registers.
I don’t for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.
If that’s the only reason, it’s not a great one. You could solve it by storing the password with your important documents.
I don’t think I encrypt my drives and the main reason is it’s usually not a one-click process. I’m also not sure of the benefits from a personal perspective. If the government gets my drives I assume they’ll crack it in no time. If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway. So I’m assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
Edit: Thanks for the counter points. I’ll look into activating encryption on my machines if they don’t already have it.
A big benefit of encryption is that if your stuff is stolen, it adds a lot of time for you to change passwords and invalidate any signed in accounts, email credentials, login sessions, etc.
This is true even if a sophisticated person steals the computer. If you leave it wide open then they can go right in and copy your cookies, logins, and passwords way faster. But if it’s encrypted, they need to plug your drive into their system and try to crack your stuff, which takes decent time to set up. And the cracking itself, even if it takes only hours, would be even more time you can use to secure your online accounts.
On Linux, my installs always had a checkbox plus a password form for the encryption.
I think this is true for computers that are in danger of being stolen. Laptops or PCs in dorms or other shared living spaces. But I live in a relatively secure area, burglaries are very rare and my PC never leaves the building. So the benefits of encryption are pretty much negligible.
What are the downsides to encryption? Though you may have negligible benefits, if there are also negligible downsides then the more secure option should be chosen.
- The LUKS encryption can get corrupted
- The password may be forgotten
- harddrives can be corrupted, too. That’s where backups come in
- True, though one could use a security key or password manager to overcome that, or setup secure boot/TPM to where a password isn’t actually needed. If all else fails, again, backups.
So when the laptop dies, the disk cannot be read anywhere because the tpm is lost?
Correct, the hard disk in the laptop can not be read. This is where having a good backup strategy is important. Similar to how if your hard disk dies you’re no longer able to access the material on the hard disk. For me, the downsides of encryption do not outweigh the benefits of having my data secure.
I enabled full disk encryption during OS installation, set up a secure passphrase, and then set up automated encrypted backups to my home server, which are automatically backed up to a remote server.
I gain peace of mind in knowing that if my laptop is stolen I’m only out the cost of the laptop, the data within is still safe and secure.
is it’s usually not a one-click process
It is, these days. Ubuntu and Fedora, for example. But you still have to select it or it won’t happen. PopOS, being explicitly designed for laptops, has it by default.
If the government gets my drives I assume they’ll crack it in no time.
Depends on your passphrase. If you follow best practice and go with, say, a 25-character passphrase made up of obscure dictionary words, then no, even a state will not be cracking it quickly at all.
If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway.
Exactly. This is the weak link of disk encryption. You usually need to turn off the machine, i.e. lose the key from memory, in order to get the full benefits. A couple of consolations: (1) In an emergency, you at least have the option of locking it down; just turn it off - even a hard shutdown will do. (2) As you say, only a sophisticated attacker, like the police, will have the skills to break open your screenlocked machine while avoiding any shutdown or reboot.
Another, less obvious, reason for encrypting: it means you can sell the drive, or laptop, without having to wipe it. Encrypted data is inaccessible, by definition.
Encryption of personal data should be the default everywhere. Period.
Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.
yes. if you live in a country without democracy. it is the only way to protect yourself and your data from nsa agent kicking your door.
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I’m going to be travelling.
One of my friends locked himself out of his PC and all his data because he forgot his master password, and I don’t want to do that myself lol
I don’t encrypt my entire drive, but I do have encrypted directories for my sensitive data. If I did encrypt an entire drive, it would only be the drive containing my data not the system drive.
but I do have encrypted directories for my sensitive data
What do you use for encrypted directories? Ecryptfs?
I use Linux and it’s built in to my desktop environment. I just create a new vault.
i’d really like to. but there is ONE big problem:
Keyboard layouts.
seriously
I hate having to deal with that. when I set up my laptop with ubuntu, I tried at least 3 thymes to make it work, but no matter what I tried I was just locked out of my brand-new system. it cant just be y and z being flipped, I tried that, maybe it was the french keyboard layout (which is absolutely fucked) or something else, but it just wouldnt work.
On my mint PC I have a similar problem with the default layout having weird extra keys and I just sort of work around that, because fuck dealing with terminals again. (when logged in it works, because I can manually change it to the right one.)
Now I do have about a TerraByte of storage encrypted, just for the… more sensitive stuff…
While dealing with the problems I stumbled across a story of a user who had to recover their data using muscle-memory, a broken keyboard, the same model of keyboard and probably a lot of patience. good luck to that guy.
Have you tried peppermint or maybe coriander?
Jokes aside, I believe the password entry stage is before any sort of localization happens, meaning what your keyboard looks like doesn’t matter and the input language defaults to English. You have to type as if you’re using an English keyboard. That’s hardly a good solution if you’re unfamiliar with that layout of course.
Initrd has support to configure the keyboard layout used. Consult your initrd generator’s documentation for this
I used to, but it’s proven to be a pain more often than a blessing. I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I am sorry but that is BS. Encryption is not easy to break like in some Movies.
If you are referring to that a bad actor breaks in and modifies your hardware with for example a keylogger/sniffer or something then that is something disk encryption does not really defend against.
That’s more what I mean. They won’t break the encryption, but at that point with physical access to my home/ computer/ servers, I have bigger problems.
There’s very little stored locally that could be worse than a situation where someone has physical access to my machine.
No. I break my system occasionally and then it’s a hassle.
This is one of those moments where “skill issue” fully applies 😁
Keep learning, friend, I’ve been there and Linux is a journey
I encrypt everything that leaves my house since it could be easily lost or stolen, but it is rather inconvenient.
If someone breaks into my house, I’ve got bigger problems than someone getting their hands on my media collection. I think it would be more likely for me to mess something up and loose access to my data than for someone to steal it.
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasn’t overly concerned about tax documents/passwords etc being left as I’d use dd to write over the platters prior to recycling.
You got me curious. Passwords yeah, but tax documents? Why?
This was a few drives ago but there was a point in time when most places were giving me digital copies of tax documents which I could upload to tax prep software but things like TurboTax didn’t have an auto import. So you’d need to download them then re-upload them to the correct service. Now they do it automatically so the only thing that would match that now now is receipts for expenses/donations and what not that I need to keep track of for manual entry.
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
