Do you encrypt your drives and why or why not?
Do you encrypt your drives and why or why not?
I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I've encountered include the option to encrypt, it is not selected by default.
Whether it's a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won't end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that's just me and I'm curious to hear what other reasons to encrypt or not to encrypt are out there.
I don't https://xkcd.com/538/
I'm convinced the chances of me losing access to the data are higher than encryption protecting it from a bad actor.
Let's be real, full disk encryption won't protect a running system and if someone has physical access and really wants it, encryption won't protect you from the $5 wrench either.
I do encrypt my phone data though, as someone running away with my phone is more realistic.
I'm not worried about getting raided by the KGB or anything like that, but break-ins happen and my computer equipment would be a prime target for theft.
I occasionally cycle my backup drives off-site, so I want those encrypted as well.
The cost of encryption is very close to zero, so I don't even entertain the question of whether I should encrypt or not. I just encrypt by default.
Possibly overestimating the value of the data entrusted to me, but whenever I see that xkcd, I like to think that I at least have the option to remain silent and die with dignity if I really don't want the contents of my disk out there.
Nothing I have is worth dying over. I'd give up on the first threat.
Drives in server are not encrypted but backups to the cloud are. Laptop used to but causes to many issues and it doesn't really leave the house much.
It should be encrypted by default because most people don’t take care to dispose of their machines responsibly. I picked up a few machines destined for ewaste and the hard drives were full of tax returns.
Lol police doesnt just use a hammer
I encrypt everything that leaves my house since it could be easily lost or stolen, but it is rather inconvenient.
If someone breaks into my house, I've got bigger problems than someone getting their hands on my media collection. I think it would be more likely for me to mess something up and loose access to my data than for someone to steal it.
laptop yeah
desktop nah
Same here. My desktop is in a controlled environment, so I don't see a need. Plus, if I do have some sort of issue, I will still be able to access those files.
Since I actually take my laptop places, I have that encrypted for sure.
Yeah me too. It goes back to your threat level. How likely is it that someone is going to break into my home to steal my desktop all James Bond-like? The answer is, “not very.” Anything mobile has a significantly higher probability of falling into the wrong hands. These things are encrypted. Even the very old laptop that never leaves my house is encrypted because it could.
I encrypt all my drives. Me and the people I know get occasionally raided by the police. Plus I guess also provides protection for nosy civilians who get their hands on my devices. Unlike most security measures, there is hardly any downside to encrypting your drives—a minor performance hit, not noticeable on modern hardware, and having to type in a password upon boot, which you normally have to do anyway.
Where do you live that you’re getting raided by the police? This sounds like one of those situations where they might use the wrench technique.
I don't think I encrypt my drives and the main reason is it's usually not a one-click process. I'm also not sure of the benefits from a personal perspective. If the government gets my drives I assume they'll crack it in no time. If a hacker gets into my PC or a virus I'm assuming it will run while the drive is in an unencrypted state anyway. So I'm assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
Edit: Thanks for the counter points. I'll look into activating encryption on my machines if they don't already have it.
is it’s usually not a one-click process
It is, these days. Ubuntu and Fedora, for example. But you still have to select it or it won't happen. PopOS, being explicitly designed for laptops, has it by default.
If the government gets my drives I assume they’ll crack it in no time.
Depends on your passphrase. If you follow best practice and go with, say, a 25-character passphrase made up of obscure dictionary words, then no, even a state will not be cracking it quickly at all.
If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway.
Exactly. This is the weak link of disk encryption. You usually need to turn off the machine, i.e. lose the key from memory, in order to get the full benefits. A couple of consolations: (1) In an emergency, you at least have the option of locking it down; just turn it off - even a hard shutdown will do. (2) As you say, only a sophisticated attacker, like the police, will have the skills to break open your screenlocked machine while avoiding any shutdown or reboot.
Another, less obvious, reason for encrypting: it means you can sell the drive, or laptop, without having to wipe it. Encrypted data is inaccessible, by definition.
Encryption of personal data should be the default everywhere. Period.
Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.
A big benefit of encryption is that if your stuff is stolen, it adds a lot of time for you to change passwords and invalidate any signed in accounts, email credentials, login sessions, etc.
This is true even if a sophisticated person steals the computer. If you leave it wide open then they can go right in and copy your cookies, logins, and passwords way faster. But if it's encrypted, they need to plug your drive into their system and try to crack your stuff, which takes decent time to set up. And the cracking itself, even if it takes only hours, would be even more time you can use to secure your online accounts.
On Linux, my installs always had a checkbox plus a password form for the encryption.
It is a one click process if you use user friendly distros
GNOME disks is a nice GUI that lets you setup disks with ease. Encryption can be easily setup with it.
No. I break my system occasionally and then it's a hassle.
This is one of those moments where “skill issue” fully applies 😁
Keep learning, friend, I've been there and Linux is a journey
No.
I spend a significant amount of time on other things, e.g. NOT using BigTech, no Facebook, Insta, Google, etc where I would "volunteer" private information for a discount. I do lock the physical door of my house (most of the time, not always) and have a password ... but if somebody is eager and skilled enough to break in my home to get my disks, honestly they "deserve" the content.
It's a bit like if somebody where to break in and stole my stuff at home, my gadgets or jewelry. Of course I do not welcome it, nor help with it hence the lock on the front door or closed windows, but at some point I also don't have cameras, alarms, etc. Honestly I don't think I have enough stuff worth risking breaking in for, both physical and digital. The "stuff" I mostly cherish is relationship with people, skills I learned, arguably stuff I built through those skills ... but even that can be built again. So in truth I don't care much.
I'd argue security is always a compromise, a trade of between convenience and access. Once you have few things in place, e.g. password, 2nd step auth, physical token e.g. YubiKeyBio, the rest becomes marginally "safer" for significant more hassle.
but if somebody is eager and skilled enough to break in my home to get my disks, honestly they “deserve” the content.
The problem with "my disks" is there's always some other's people on it, in one way or another.
But of course, it's your call. We all have gaps in our "walls" and it's not like I'd be pretending that LUKS is all that matters.
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
i'd really like to. but there is ONE big problem:
Keyboard layouts.
seriously
I hate having to deal with that. when I set up my laptop with ubuntu, I tried at least 3 thymes to make it work, but no matter what I tried I was just locked out of my brand-new system. it cant just be y and z being flipped, I tried that, maybe it was the french keyboard layout (which is absolutely fucked) or something else, but it just wouldnt work.
On my mint PC I have a similar problem with the default layout having weird extra keys and I just sort of work around that, because fuck dealing with terminals again. (when logged in it works, because I can manually change it to the right one.)
Now I do have about a TerraByte of storage encrypted, just for the... more sensitive stuff...
While dealing with the problems I stumbled across a story of a user who had to recover their data using muscle-memory, a broken keyboard, the same model of keyboard and probably a lot of patience. good luck to that guy.
Have you tried peppermint or maybe coriander?
Jokes aside, I believe the password entry stage is before any sort of localization happens, meaning what your keyboard looks like doesn't matter and the input language defaults to English. You have to type as if you're using an English keyboard. That's hardly a good solution if you're unfamiliar with that layout of course.
Initrd has support to configure the keyboard layout used. Consult your initrd generator's documentation for this
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasn’t overly concerned about tax documents/passwords etc being left as I’d use dd to write over the platters prior to recycling.
This is the primary reason for me as well. Drive disposal. Also since we only get electronic statements, want to encrypt those.
You got me curious. Passwords yeah, but tax documents? Why?
This was a few drives ago but there was a point in time when most places were giving me digital copies of tax documents which I could upload to tax prep software but things like TurboTax didn’t have an auto import. So you’d need to download them then re-upload them to the correct service. Now they do it automatically so the only thing that would match that now now is receipts for expenses/donations and what not that I need to keep track of for manual entry.
I used to, but it's proven to be a pain more often than a blessing. I'm also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it's game over anyway.
I'm also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it's game over anyway.
I am sorry but that is BS. Encryption is not easy to break like in some Movies.
If you are referring to that a bad actor breaks in and modifies your hardware with for example a keylogger/sniffer or something then that is something disk encryption does not really defend against.
That's more what I mean. They won't break the encryption, but at that point with physical access to my home/ computer/ servers, I have bigger problems.
There's very little stored locally that could be worse than a situation where someone has physical access to my machine.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it's just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You're an idiot, go back to macOS you fucking normie
(/s, I'm also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros' repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
I don't wanna risk losing anything on the drive thats important .
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: "mary beach rodeo" or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
Maybe I might try this, and am open to advice :)
mary beach rodeo
thank you for sharing your password 😜
That is a good reason to backup, but has nothing to do with encryption.
That is a good reason to backup
This is true.
but has nothing to do with encryption.
I disagree with this. If you forget the password for decrypting your drive, then you will have lost "anything on the drive that's important". I know because it happened to me long ago, and so now I too have been wary of disk encryption ever since then.
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I'm going to be travelling.
One of my friends locked himself out of his PC and all his data because he forgot his master password, and I don't want to do that myself lol
Exactly the same rationale as mine.
Honestly... Why bother? If someone gains remote access to my system, an encrypted disk won't help. It's just a physical access preventer afaik, and I think the risk of that being necessary is very low. Encrypted my work computer because we had to and that environment also made it make more sense, I technically had sensitive customer info on it, though I worked at Oracle so of course they had to make it as convoluted and shitty as possible.
You're somewhat right in the sense that the point of disk encryption is not to protect from remote attackers. However, physical access is a bigger problem in some cases (mostly laptops). I don't do it on my desktop because I neither want to reinstall nor do I think someone who randomly breaks in is going to put in the effort to lug it away to their vehicle.
Certainly didn't mean to say it's never useful, just not useful for me
Can you explain why if someone get access to your encrypted disk, they would have access to its contents?
If someone can execute arbitrary code on my computer, it doesn't matter that the disk is encrypted, because I've already booted the machine up and entered the key. I'm certainly not the most cryptographically knowledge but using LUKS on Oracle Linux, I'd enter the key once while starting up, past that point there was no difference between an encrypted and unencrypted system. It seems logical to me, then, that if something can execute arbitrary code, it's after that point, so encryption won't matter to it. Encryption is more of a solution to someone physically obtaining your hard drive and preventing them from having access to the contents simply by plugging it into their system.
Or at least that's my understanding, please correct me if I'm mistaken.
My Laptop and Phone have encrypted drives, my Desktop doesn't.
Its that simple.
I can expand my own creativity and store every thought and creative Art, without anybody being able to find out after my death or while someone raids me.
Maybe I stored an opinion against some president, and maybe the government changed its working, which allows police to raid someone for little suspection.
You never know if you ever have something to hide. While things are okay now and today, it might be highly illegal tomorrow.
Those are ideas. But generally its only about the feeling of privacy.
Most mobile/laptop devices should be encrypted by default. They are too prone to loss or theft. Even that isn't sufficient with border crossings where you are probably better off wiping them or leaving them behind.
My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.
I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptiom for my circumstances. Encrypting Linux packages and steam libraries doesn't offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk. It adds overhead.and another point of failure for no real benefit.
Almost everything that can be is: laptops, desktop, servers (LUKS), phone (grapheneos)
I don't for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.
Give her and your personal representatives the keys or access to the keys. Problem solved.
Same problem as you passwords and password manager.
BioMyth
I understand that giving the keys can partially solve the access problem. But she would still possibly be unable to use the device. Additionally, I don't know that she would be capable of using the keys without additional assistance and we don't have other techies in our community who could step up in that capacity.
If that's the only reason, it's not a great one. You could solve it by storing the password with your important documents.
It is the largest reason. Storing the password is one thing but to make the device reasonable to use I would likely store the key's in TPM with a backup key. I don't think she would be technical enough to use the backup keys were something additional to happen.
It's one of those things where it depends on the computer. My old box that's running win 7 has nothing but music and backed up media files on it, isn't connected to the internet at all, and there's really no point to it being encrypted.
My laptop leaves the house, and is connected, so it gets the treatment. My general purpose PC is, though that was more just because of a random choice rather than a carefully chosen decision. I figured I'd try it for a few weeks, then nuke it if it was a problem. It hasn't been, and I haven't needed to do anything to it that would require a change.
The other people in the house have chosen not to.
I'm not certain I would encrypt my main desktop again, just because it's one more thing to do, and I'm getting lazy lol. I don't have any sensitive files at all, and if things in the world get so bad that some agency is after me, I'm going to be hiding out up in this holler I know, not worrying about leaving a computer behind. Won't be power anyway, and the only shit they'd find is some pirated files.
I'd be more worried about my phone and my main tablet than any of the PCs, and those would either go with me, or get melted down before I left. Thermite is cheap and easy.
Full disk encryption on everything. My Servers, PCs etc. Gives me peace of mind that my data is safe even when the device is no longer in my control.
I use encryption on laptops, because they can be stolen in the train, bus, etc. On work desktop, I do so as well, because there are many people around. However, on everything that stay at home, I prefer not to use it to simplifiy things and get more performance.
My drives are not encrypted because it's a hassle if things start going wrong. My NAS is software raid so the individual disks mean nothing anyway. The only drive that is encrypted is my backup disk and I'm not really sure if it was needed.
I encrypt all my filesystems, boot partitions excluded. I started with my work laptop. It made the most sense because there is a real possibility that it gets lost or stolen at some point. But once I learned how simple encryption is, I just started doing it everywhere. It's probably not gonna come into play ever for my desktop, but it also doesn't really cost me anything to be extra safe.
No, I don't encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don't have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
I have stopped encrypting my drives, because if anything goes wrong and the system won't boot it makes recovery more difficult. It's a dual boot machine with Windows 11, and I had a lot of awkwardness with Bitlocker that led to me deciding to abandon encryption in both OSs. I save sensitive files to encrypted volumes in VeraCrypt.
Depends on the use case. Definitely for my laptop though. In fact the decryption keys only exist in two places:
- Inside my TPM
- In a safe deposit box at a bank.
Had nosey cops trying to get into my phones illegally recently.. do not understand people that dont encrypt shit
Yeah, on my laptop - because I travel with it and confidential data (like from my customers) could land in hands its not supposed to
No, in case of my desktop, because it's easier to access it in case of failure
My thinking is similar. I've seen this news story more than once:
laptop stolen containing customer data... hard drive was not encrypted
I don't generally have customer data, but it can happen every once in a while.
I encrypted my professional laptop's drive in order to prevent access to company data and code in case of theft. And I'll probably encrypt my personal laptop as well because the SSH key can access company code.
As for the desktop, I didn't and probably never will, because theft is less likely and that would be a pain to handle for nightly backups (it is turned on with Wake-on-LAN and then a cron backs up my home directory to my NAS).
Finally, I won't encrypt my NAS as well for the same reason: it would quickly become a hassle as I would have to manually decrypt the drives every time it boots after a power outage.
I do on all my devices that can as a matter of practice, not for any real threat. I'm interested to learn about how to set it up and use it on a daily basis including how to do system recoveries. I guess it's largely academic.
Once I switched to linux as my daily driver, I didn't have a need to do piracy anymore since all the software I need is FOSS.
I do encrypt my drives, and it’s not as transparent in Linux as it is in the others. I’m sure I could get a TPM setup for seamless boots, but I haven’t done that yet.
For mobile drivers, I still encrypt, but that locks them to one OS since LUKS isn’t cross platform. There is VeraCrypt for cross-platform encryption, but that’s one more thing to manage and install.
Yes, and for the life of me I don't understand why there isn't a default LUKS with hibernate partition in the Debian installer.
I would strongly encourage people to encrypt their on site data storage drives even if they never leave the house and theft isn’t a realistic thing that can happen.
The issue is hard drive malfunction. If a drive has sensitive data on it and malfunctions. It becomes very hard to destroy that data.
If that malfunctioning hard drive was encrypted you can simply toss it into an e-waste bin worry free. If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
1 torx screwdriver 1 hammer
not the hardest thing to scratch up the platters and then fold them into abstract art
I don't bother to take out the screws. I just drill handful of holes trough the whole thing. Or if you're really paranoid a MAP torch is enough to melt the whole thing (don't breath the smoke).
True. This does work. But it is less secure and much harder than just tossing an encrypted HDD into an e-waste bin. It probably is more fun though. 🤔
Great point.
I provided reasons why I encrypted my drives but this one is even better.
(Another one could be if you need to get your computer to a repair shop, and for some reason you can't just remove the drive.)
Another one is that if you delete a file on an encrypted drive it can’t be undeleted later on. Lots of benefits.
If your drive starts malfunctioning, then without encryption you might be able to read some sectors and recover a few things. With encryption you are SOL.
This is why backups are important. But even if the drive is encrypted recovering data is exactly as easy as recovery from a non encrypted drive.
- Do a ddrescue of the drive.
- Re apply the luks header.
- decrypt all non corrupt sectors
- Use appropriate tools to recover files.
Like you lose the same sectors if those sectors are encrypted or not.
I just encrypt devices that leave the house. I do have access to a hard drive crusher if I lose a drive (recently crushed a tablet that wouldn't power on)
Fair. If you have access to a crusher then maybe I can see not encrypting. But even then with non encrypted drives files can be recovered even after deleting etc.
If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
If by heavy tools, you mean a screwdriver and an angle grinder, then yeah, but it's not that hard in reality.
I mean if you have an angle grinder and a space to safely use it sure. But it’s still harder than just dropping the HDD off at an e-waste bin.
I used to, but then I nuked my install accidentally and I couldn't recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I've resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
Your recovery problem was a backup issue not an encryption issue. Consider addressing the backup issue.
I have and I've concluded that I'm not made of money and therefore can't afford to have multiple terabyte drives just lying around with redundant data just in case.
If I could afford it, then I wouldn't have been resizing my '/' partition to free up 80GB of space.
Asahi Linux doesn't support encryption and getting it to work requires a lot of steps and that I reinstall it which I don't have time for, so I don't have it enabled on my laptop, and if it gets stolen or confiscated I'm fucked.
I have it enabled on my server and phone.
@sudoer777 @monovergent , create an encrypted container? It's a little tedious, but fairly distro agnostic.
Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.
Yes. I encrypt because theft. I know PopOS and Mint make it 1-click ez. ...unless of course you want home and root on a separate drives. That scales difficulty real fast. There's plenty of tutorials, and I managed, but I had to patch together different ones to get a basic setup-- Never mind understanding exactly what I did and repeating it (the latest challenge I've been dragging my feet on). I do hope this is an area that sees more development in the near future.
That does make encryption was less appealing to me. On one of my machines / and /home are on different drives and parts of ~ are on yet another one.
I consider the ability to mount file systems in random folders or to replace directories with symlinks at will to be absolutely core features of unixoid systems. If the current encryption toolset can't easily facilitate that then it's not quite RTM for my use case.
Doesn't Pop have that by default? I think others have too.
Anyway, yes for basically everything. Except my servers main partition, because otherwise recovering from crashes would be horribly annoying or unsafe if I'd use cryptssh. And if the dns+dhcp/gateway/VPN server crashes I'd definitely need 22 open.
I don't encrypt my entire drive, but I do have encrypted directories for my sensitive data. If I did encrypt an entire drive, it would only be the drive containing my data not the system drive.
I don't encrypt because it's too much effort to learn about it.
Id rather keep my filesystem unencrypted so that I can easily recover from problems and encrypt important files as needed, but let's be real I don't do that either.
I encrypt my laptop and desktops and I think it’s worth it. I regret encrypting my servers because they need passwords to turn on.
yes. if you live in a country without democracy. it is the only way to protect yourself and your data from nsa agent kicking your door.
Every endpoint device I use is using full disk encryption, yes.
Yep. Everything except my server, which needs to be able to boot without my help. Because why not? I rarely ever reboot anything, so it doesn’t really hurt, and if anyone steals my shit they won’t get my wife’s noods.
I encrypt my laptop and desktops and I think it’s worth it. I regret encrypting my servers because they need passwords to turn on. I couldn’t figure out how to handle it when away.
Do your servers have TPM? Clevis might be the way to go; I use it on my Thinkpad and it makes my life easy. If the servers don’t have TPM, Clevis also supports this weird thing called Tang, which from what I can tell basically assures that the servers can only be automatically decrypted on your local network. If Clevis fails, you can have it fall back to letting you enter the LVM password.
I have not tried any of those three things: TPM, Clevis, or Tang. Thanks for recommending.
I tried to setup a keyfile on /, /boot, and /root.
I tried a keyfile on a usb
I also tried to use dropbear to allow ssh unlock.
Sadly these didn’t work and drove me crazy for two nights.
With initramfs and dropbear you can make the password prompt accessible over ssh, so you can enter the password from anywhere.
Edit: For debian it is something like
- install dropbear
- configure dropbear for initramfs
- generate key pair
- generate initramfs
- You are done.
I encrypt my home folder and Windows install just in case someone breaks into my house and steals my computer. Super annoying entering my password each boot though.
Absolutely. LUKS full disk encryption. Comes as an opt-in checkbox on Ubuntu, for example.
And I too cannot understand why this is not opt-out rather than opt-in. Apparently we've decided that only normies on corporate spyware OSs need security, and we don't.
There is a major downside to encryption: If you forget your password or your tpm fails and you've not backed things up, then that data is gone forever. If someone doesn't have anything incriminating or useful to theives on their device, the easier reparability might justify not enabling it.
I don't, I didn't do it back then and I ended up using this system for much longer than I thought I would(4+ years). I want to do it next time but I don't feel like reinstalling just for that.
Yes because it is one click
If I delete my drive, it is rubbish
It doesnt impact my performance much
Mostly I don't, but I want to start to. I only have one laptop encrypted and of course I keep my phones encrypted.
Yes because my distro also have encrypted /boot included
I don't do it for my desktop because 1) I highly doubt my desktop would get stolen. 2) I installed Linux before I was aware of encryption, and don't have any desire to do a reinstall on my desktop at this time.
For my laptop, yes, I do (with exception of the boot partition), since it would be trivial to steal and this is a more recent install. I use clevis to auto-unlock the drive by getting keys from the TPM. I need to better protect myself against evil maids, though - luckily according to the Arch Wiki Clevis supports PCR registers.
I encrypt my desktop and laptop but not my servers. On desktop, that excludes drives that aren't my OS/boot drive.
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
Of course, I'm paranoid and don't trust the US government. Or any government really. "First they came for _____" and all that; Id rather just tell them to pound sand immediately instead of get caught with my pants down.
For my laptop, yeah. I rarely actually use it though. For my desktop not so much. I really don't keep that much personal information on it to begin with, and if someone breaks into my house they could probably get more by stealing the desk my computer is sitting on then by stealing the computer. It just feels like a silly thing to waste my time with.
Yes. I have sensitive info in my PC (work credentials) and in the case of a break-in, last thing I want is to jeopardize my job.
My issue is that I can never remember "a couple more commands" for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.
I encrypt everything, with unique complex passwords, that I have a safe mnemonic system for remembering and retrieving.
I don't but admittedly I don't do much stuff on my laptop that's super secure. it's mainly for gaming and the odd programming project.
Only encrypt the home partition, for the root partition it just unnecessarily slows down the system.
Also, I think, there could be different approaches instead of encryption. AFAIK, android doesn't use encryption underneath, but uses a semi-closed bootloader (which means, if you install a different OS, all user data gets wiped). I'm currently investigating the feasibility of such an approach in the long term.
Android definitely has encrypion, but it is just the user data not the programs. It you ever run
mounton an android device you will see that it has lots of different partitions for that sort of stuffAndroid uses verified boot then encrypts the various profiles and the new private space seprately. This is how my GrapheneOS phone works.
Linux has a bunch of options. Ubuntu use to suggest per user encryption by ecryptfs but has since gone to partition based encryption via dm-crypt/LUKS. I still use either or both depending though ecryptfs seems depricated/discontinued and on the next upgrade I may discontinue.
Linux can support vaults too. Just locking certain folders. Encfs, and gocryptfs can do this for example. I use encfs though perhaps gocryptfs is a better choice these days. One can also use partition based solutions like dm-crypfs/LUKS or maybe even veracrypt too.
are you guys using the bios ssd encryption option or a software solution?
I’m using LVM. The BIOS solution would be a bad idea because it would be more difficult to access the drive on other systems if you had to; LVM allows you to enter your password on other systems to decrypt.
LUKS (I was assuming that's kind of implied, I don't think I ever thought of another way..)
Depends. On external drives yes. On internal boot drive no. I had performance issues and thermal issues with it so stopped on boot drives.
I do, laptops and workstations.
It's just too easy not to, and there's almost no downsides to it. (I only need to reboot, once a month or two.)
Well, unless you consider the possibility of forgetting the password a downside, so for that reason I keep the password in a password manager.
In case my laptop was stolen, there would quite a couple fewer things to worry about. Especially things like client's data which could be under NDA's, etc...
I have no significant private data on my disks. They can be wiped whether encrypted or not if they're stolen. And I like that in theory if my pc explodes I can recover the data with only the drive.
I encrypt my workstations and backups thereof on external devices. To protect against theft or a lazy state-level adversary
Yeah all my drives are encrypted with LUKS mostly because of home burglaries (bad area and whatnot). I still keep backups regardless on drives that are also encrypted
I made the mistake of not setting up encryption on my main 45TB zfs pool so I'm currently backing up everything on there to tape so I can recreate the pool (also need to change from mirrored to raidz) and then copying everything back to the drives. Although writing and reading each are around 6 days continuesly. Didn't want to bite the bullet and pay more then I absolutely had to and only got a LTO-4 drive and tapes.
All my important files are on a NAS, so if someone steals my laptop, there's nothing of value there without being able to log in and mount the remote file systems
Yes. Encrypting your entire hard drive has basically been a tickbox in the Fedora installer for a long time now. No reason why I wouldn't do it. It's, easy, doesn't give me any problems and improves my devices security with defence-in-depth. No brainer.
It’s a smidge more difficult on Debian if you want to use a non-ext4 filesystem - granted for most people, ext4’s probably still fine. I use it on my desktop, which doesn’t have encryption.
I always encrypt my computer SSD as well as my external backup drive. I just wish that when installing a Linux distro and when selecting encryption that it would work with multiple drives
I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.
If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.
They don't need to guess the password. If you don't have full disk encryption I can just run another os in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file
oh no, if they changed the password and I got it back somehow, I could finally have an excuse to try out mint.
I was recently intrigued to learn that only half of the respondents to a survey said that they used NO disk encryption.
Is the other half alright?
Yes.
If my computers are stolen or lost with the luggage, or if I suddenly die (as one sometime does), I don't want whoever goes through my computers to get hold of my ex-girlfriends nudes, my credentials for online banking or my porn habits.
I was looking for people who are not using encrypted storage.
Because it requires generating, memorizing and entering a secure password. Because Linux typically doesn't support fingerprint readers or other biometrics.
You can just store the key in your TPM and then you don't have to memorize anything.
Is that near the TPS reports?
No. I prefer the quickest way to share my data between different computers and operating systems on my home network. I will also mention that my network is not accessible over the internet.
Speaking as someone who doesn't encrypt their desktop but is thinking about it:
you can't share (readable) data over one's home network if the sending PC is disk-encrypted?
For example, are you saying that if I send a video file from my PC, which is disk-encrypted, over LAN to my NAS, then the NAS would not be able to read said file?
Disk encryption does not impact file sharing over the network.
Sure if you sharing by a USB portable drive you have to unlock and lock it every time you use it. That is separate thing though.
The bigger issues of encryption are one should have a good backup and recovery plan both for media and for the keys. One has to consider legacy planning too. How do your personal representatives access.
