Do you use disk encryption? Why? Why not?
Posted by sir__hennihau@reddit | linux | View on Reddit | 372 comments
Context:
- I set up a new raspberry pi and while setting up, i stumpled upon the question of security on a shared device
- During research, I noticed that even when you set a password, your file repository can be read, including the stored keys of your browser
- To prevent that, you would need to encrypt your disk (that's different from just using a password for your user)
---
So, how do you do it? Do you encrypt your disk? Do you enter the password twice then on boot or do did you configure auto login after decryption?
I might set up my Fedora + Rasp Pi new with it enabled, I assume it can be easily set up during installation?
How do you handle it?
SocialCoffeeDrinker@reddit
For home desktops/servers? Nope.
For my laptop that I travel with? Absolutely.
PingMyHeart@reddit
If your home ever got burglarized you'll wish you did.
jr735@reddit
Like u/SocialCoffeeDrinker I don't bother encrypting my home desktop. I can see the value to it, but if a thief gets at it, is he more likely to be interested in the computer or the data? Very sensitive stuff on there is already encrypted, individually. Non-sensitive stuff is not.
Far too many people shoot themselves in the foot with encryption. I'd prefer not to do that to myself, although I like to think I can handle encryption better than most.
devslashnope@reddit
Really? What percentage of people shoot themselves in the foot, as you say? I'd like to read the source that you're using. Thanks.
jr735@reddit
I have no idea what percentage. "Far too many" isn't scientific, and it's based upon support requests seen in the subs. If someone wishes to encrypt the entire drive or home on his desktop, he's free to do so. I outlined why I do not do that. I prefer to encrypt individual sensitive files. If someone wishes to steal my desktop and look at dry business inventory spreadsheets from five years ago, they can.
Clydosphere@reddit
I often say that I fully encrypt all of my drives because I'm too lazy to decide between important and unimportant data. đ
jr735@reddit
That's absolutely fine, too. There's nothing wrong with it if you're careful and knowledgeable about it, and especially have appropriate backups. Backups are always important. If your main drive is encrypted, they're even more important.
Clydosphere@reddit
Yeah, that's actually my mantra: backups, backups, backups. (And sometimes: no backup, no pity đ) For my personal purpose, that's a weekly incremental backup of all my machines via network to rotating external drives, at least one of them stored remotely. The 3-2-1 method.
jr735@reddit
Quite fair and reasonable. My backups aren't all that complicated, with rsync providing the incremental backups of the work I do, as needed. Sometimes, that's much more frequently than weekly, but sometimes less, too.
Clydosphere@reddit
Yes, everyone should use a backup method that fits their needs and their habits, so that they actually do it regularly.
That said, my method was only reasonably complicated to setup initially. Now, I only plug the oldest backup HDD in my USB hub and start the backup software (dirvish). It then pulls all new and changed files from all of my machines via rsync+ssh to that one (4 TB at the moment). When it's done, I put the drive into my bag for the next day to switch it with the now older remote drive. Rinse and repeat.
The backups are LUKS-encrypted, so for my mediocre security requirements, I can virtually store them anywhere, e.g. at work, with relatives, friends, neighbors etc.
Comfortable_Swim_380@reddit
IT guy here I would say enough to where I get loads of calls and there's nothing I can do. And its a regular thing.
wiesemensch@reddit
At work we are currently developing a custom data store for sensitive data. It uses end to end encrypting and we are not able to access anything. If I remember, Iâll tell you how many calls Iâll get from them asking for there data. Iâm pretty sure itâll not be zero.
Clydosphere@reddit
Some webstore once told me after my registration, "please try to remember your password for our shop." They surely had their fair share of people who didn't.
gesis@reddit
Just go to cryptocurrency subs and search for "forgot wallet password."
Comfortable_Swim_380@reddit
Damn that sounds like a bad day
gesis@reddit
I'm with you guys.
Additionally, most of my personal files are stored on my NAS and accessed via NFS. Random crackhead burglars are not walking out with hundreds of pounds of disk shelves bolted into the rack in my utility room. And if they are, then I'm not worried about them rebuilding my ZFS pools.
jr735@reddit
As I mentioned elsewhere, we have enough people wanting to install Linux and unable to do it. A crackhead isn't wandering around with a Ventoy stick, waiting to plug my tower and monitor into some secluded outdoor power outlet to get my ISP admin password.
bigntallmike@reddit
No, but the guy he sells your computer to for drug money might.
jr735@reddit
Maybe, maybe not. There are hard drives that are useful to peruse. There are hard drives that aren't useful to peruse. A store's or business's drive might be more useful. Anyone getting mine would find the sensitive data already encrypted. If the thief's drug dealer wants my out of date business spreadsheets, my Linux documentation, car manuals on PDF, and my business envelopes, he can just ask.
FigurativeLynx@reddit
I agree that unless you're a high-profile person, a burglar probably wasn't targeting your data specifically, but they're still going to have it afterwards. Even if they don't look through it, any of their intermediate buyers/sellers might. The drives probably end up in the hands of other regular people, and they're definitely going to see the files.
As an example, there was a company in Canada called "NCIX" that went bankrupt ~15 years ago. All of their assets (including their servers and drives) were auctioned off to liquidate their remaining assets. None of them were encrypted, but they had thousands of employees' personal info, orders and personal information of all customers, support tickets, etc on them. A third party (we don't know who) bought everything and then resold the data to NCIX competitors and anyone else who was interested in that personal information.
The bank wasn't targeting the data and the auctioneer probably had no idea what it was, but it still ended up in the possession of hundreds or thousands of people looking for personal data. The purchaser probably knew what was on the servers/drives before buying them, but only based on public information that was available to everyone.
jr735@reddit
Realistically, I doubt it. If they don't have something they can sell, it's going to wind up in the garbage. Buying up NCIX servers is a lot different than a hobo trying to find a buyer for my 15 year old desktop. Even a potential buyer of my old garage may not be interested.
I bought a condemned government computer years ago that was decidedly not wiped. I really wasn't interested in the contents, and it had a very dilapidated Windows 3.11 install on it, of all things, and formatted the drive without digging deeper. There might have been data on there useful to others. I couldn't care less.
FigurativeLynx@reddit
Maybe I'm the weird one, but I always scan new HDDs to see if there's anything interesting on them. I wouldn't do that at work for ethical reasons, but I feel like hardware purchased in a personal capacity is fair game.
jr735@reddit
I can't condemn you for that, at all. In my scenario, it was a government computer, so it was more likely to have something sensitive on it, so I didn't peek. Then again, it might have been a simple workstation with nothing more than a bunch of envelope templates for their printer.
As far as it went for me, I booted into it to see what OS was there. It was 3.11, as I mentioned, and it was loading slow and glitchy as heck. I grabbed my FreeDOS floppies and wiped the system. That's the one I ended up dual booting with early Ubuntu.
I would agree it's fair game. It's just that a lot of people are technologically incompetent, including (espectially?) in government.
huskypuppers@reddit
Really? Anecdotal, but I don't think I've read of any more encryption issues (inc. forgotten passwords) than I have random filesystem issues or drive failures.
Initial setup can be a bit trickier but once you get it, it's fairly seemless.
jr735@reddit
Maybe, maybe not. My point is generally this, and it aligns with much of what you say. The biggest threat to one's data is oneself and one's own hardware. If someone isn't backing up, that's going to be a problem. Encrypted data is important to back up, and the key is important to back up.
Something like photorec might work in certain situations where there are filesystem or hardware issues. It's going to do nothing if you lost your encryption key or password. I'm sure the same applies on Windows lately. A tech can get your data back for you, if it's not locked up in Bitlocker.
-Sa-Kage-@reddit
But you think the people stealing your laptop do it to gain access to your data?
jr735@reddit
Some might. Most, absolutely not. A laptop has a sensible use case for encryption, however.
xuedi@reddit
A friend had a breakin, they took the 400 euro flat tv, his 600 euro thinkpad E14, but left the desktop and a homeserver filled with 52x 20t disks, that rack had maybe a value of 10k ^_^
Buddy-Matt@reddit
As someone's who home did get burgled, I don't think it'll make much difference.
Thieves walked past 2 iPads and 3 laptops and instead took a bunch of my wife's cheap jewellery, a sleeping bag, and a pillow case to stuff it all in. Oh, and a money box.
Stunned why nearly 3 grands worth of tech was ignored we asked the police, and apparently hardware like that getting nicked is incredibly rare, because it's so easy to remotely deactivate or complex to reset or just hard to shift that thieves are rarely interested in it.
archontwo@reddit
Fencing value is not the same as what tech companies charge you. Easier to move precious stones than it is an ipad.Â
UnassumingDrifter@reddit
Yep and with Apple FindMy integration your phone or ipad is absolutely worthless without your login info.
JockstrapCummies@reddit
That's why you want to encrypt your wife's jewellery, money box, and your wife.
SMH. When will people learn? Come on it's 2025. If you don't apply 256 rounds of shift row and mix column on your wife's jewellery, can you still call yourself a responsible husband?
gesis@reddit
I dunno about you guys, but I like to apply another round of shifting the wife's bits a few times a week.
lebean@reddit
People who are worried about "losing access to their data because they forgot the passphrase" are the same people who probably shouldn't be trusted to carry a housekey because they're too irresponsible for that.
You use one long, complex passphrase to encrypt every single drive you manage. You never change that passphrase, and you never, ever use it for anything else. You'll be entering that phrase multiple times per month after reboots for security patches. You'll never forget it, and anyway you have backups of it in your password vaults.
But what if Bitlocker craps out? Well, you have everything backed up elsewhere so no loss. Rebuild, restore.
Been encrypting drives for decades, never a single loss/lockout of any kind. LUKS, ZFS encryption, Bitlocker, Truecrypt, others probably forgotten right now. No issues, no loss, never the tiniest worry that a bad actor could access my data even if a laptop/desktop/server was stolen.
Very worth it.
Swizzel-Stixx@reddit
Burglerwhat now?
pancakeQueue@reddit
If my home was burglarized Iâd rather have a good home/renter policy first.
chromatophoreskin@reddit
The two are not mutually exclusive.
Hopeful-Cry7569@reddit
Absolutely. Also have several encrypted backups in different locations.
rjzak@reddit
For home desktop/servers: yes, for when itâs time to get rid of the system or drive (especially useful for non removable drives).
daemonpenguin@reddit
In that case you could just wipe the drive before disposing of it.
EtiamTinciduntNullam@reddit
Due to SSD wear-leveling you might never be sure if data is really wiped even if you overwrite whole drive. I believe there are also ways to recover overwritten data from HDD.
The only way to be sure that no data can be recovered from a drive is to never write unencrypted data to it in the first place.
SergiusTheBest@reddit
Modern SSD have crypto erase functionality that destroys internal encryption keys and renders all data unusable without actual overwriting it.
bigntallmike@reddit
There's no guarantee this will happen to marked-bad sectors.
SergiusTheBest@reddit
It affects bad sectors also as all data was encrypted internally by SSD and the encryption key gets destroyed, so there is no way to decrypt the data.
bigntallmike@reddit
Not all drives implement instant secure erase like this, but if you make sure yours does, yes you would have this feature. Of course at that point the question is moot because yes you are encrypting your primary drive as per the question by the op.
SergiusTheBest@reddit
In case someone is interested to check their NVME SSD here is the command:
`sudo nvme id-ctrl /dev/nvme0 -H | grep -E 'Format |Crypto Erase|Sanitize'`
bigntallmike@reddit
... which for instance my Crucial P3 NVMe drive does not support. Is there a reason you included "Format"? I would've gone with just 'Crypto|Sanitize'
SergiusTheBest@reddit
Just to see which format options a drive supports.
EtiamTinciduntNullam@reddit
I don't think every modern SSD have this.
SergiusTheBest@reddit
I think It's mandatory for NVME.
SergiusTheBest@reddit
Oh no, it's not mandatory but common in consumer SSDs and guaranteed in enterprise SSDs.
_Sgt-Pepper_@reddit
A hammer and a heavy vice will work wonders on a ssd.
daemonpenguin@reddit
That's a level of paranoia I fortunately do not have. I'm not trying to hide my family photos and accounting from the FBI, I just need to make it unlikely for the next average joe who gets the computer from reading my e-mails.
EtiamTinciduntNullam@reddit
Given how easy it is to encrypt these days it's still worth encrypting to make sure the next average joe can read 0 of your emails and see 0 of your photos, instead of just "some" of them.
StarTroop@reddit
The statistic in play is not "how much of your stuff will they see?", but "how likely are they to be capable of, or even even wanting to see your stuff?" Just by having your stuff on a non-Windows-native filesystem, you're already eliminating a massive number of potential peepers among the limited number of people potentially interested in your data, within the small percentage of people who would even commit a theft in the first place.
Its just such an unlikely scenario that it hardly seems worth the consideration under normal circumstances. Atypical circumstances would include if you have genuinely sensitive data like confidential records, or private info of clients, or if you live in a scummy area.
I know I wouldn't stress if someone simply took a copy of my media library, or even my hobby photos. Encryption at the file level also exists for things like passwords, cached emails, or any other directory you may want secured, which is handy since it can be set up afterwards, and you don't have to risk losing access to your entire drive.
EtiamTinciduntNullam@reddit
TestDisk will automatically find previously defined partitions, ntfs, fat or ext. Remember that even temporarily stored files can be recovered.
You can add keyfile and embed it in initramfs to not even require password input, then when you want to get rid of the drive or decide on having extra security simply remove keyfile from keyslot. If you want to keep using the drive make sure you still can still unlock with different keyslot first.
wabassoap@reddit
Itâs easy to do but it can be more difficult for the average user to ensure they never forget their password.Â
EtiamTinciduntNullam@reddit
You're protected against that even if your password is easy.
bigntallmike@reddit
Its quite common to throw out a broken drive you couldn't wipe before it broke.
Cronos993@reddit
Encrypt and wipe it. Wiping alone doesn't guarantee that it's not gonna be recoverable unless you overwrite with 0s
EtiamTinciduntNullam@reddit
Encrypting just before wiping does not do much, better to overwrite with random data, several times.
Bischnu@reddit
The necessity to overwrite several times (if you want to really destroy the old data) only applies to HDD, right? Or is there magnetic remanence (or whatever the physical effect is) on SSD too?
EtiamTinciduntNullam@reddit
SSDs use over-provisioning and wear-leveling, it means even if you delete everything, filling drive to 100% it might still have some of the previous data stored. If you do it multiple times it is more likely you will really overwrite all.
Bischnu@reddit
Isnât there some way to tell to the SSD: âset all bit to 0â?
EtiamTinciduntNullam@reddit
Yes, you might want to read this: https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing
Still it's hard to verify if it's done correctly.
Cronos993@reddit
why not and why overwrite it several times? My understanding was that data can be recovered since deleting alone doesn't write over the data but writing once should overwrite everything, no?
earldbjr@reddit
It's a bit paranoid for a home gamer, but yes in a lab you can tell the difference between a 1 overwritten by a 1 and a 1 overwritten by a 0.
repocin@reddit
If you need to hide evidence of your data from a nation-state actor you're probably better off grinding the drive into a fine powder and chucking it into the nearest volcano anyways.
But the odds of that applying to anyone reading this thread are close to zero.
earldbjr@reddit
I would imagine whacking the platter with a hammer would scramble the magnetic moments on it. Can't say I've lab tested it, though.
EtiamTinciduntNullam@reddit
I don't think hammer will do anything to magnetically written data other than make a difficult puzzle out of it.
Actually using a magnet is not a reliable method to wipe data on HDD, but it can damage it.
EtiamTinciduntNullam@reddit
If you overwrite multiple times it will decrease SSD lifespan. This is why you might want to not do it.
Others have answered why you might want to do it.
Farados55@reddit
There are methods to recover data based on residual data even if a location is written over once. Ideally you write several times randomly to destroy any possible residuals.
spultra@reddit
That's what shred is for
_Sgt-Pepper_@reddit
Shred worked in the stone age of Unix.
today with journaling, COW-file systems, snapshots and drives that use wear leveling, you can forget shredâŠ
Embarrassed-Boot7419@reddit
I misread and thought it was called Shrek. Its not called Shrek :(
NoTime_SwordIsEnough@reddit
SOMEBODY ONCE TOLD ME the same thing, sadly...
macromorgan@reddit
A 9mm and a full magazine can take care of that.
eras@reddit
How about when the drive fails during warranty period and you are not able to wipe it?
NeverrSummer@reddit
Well you'd only wipe the drive if you were going to sell it, and if it's broken you wouldn't be able to do that, so you could just physically destroy it. Seems like a self-solving problem.
eras@reddit
Were you hoping to get a warranty device swap, though?
NeverrSummer@reddit
Honestly 15 years into PC building I've never had a hard drive die in its warranty period. I don't really factor that in, but I suppose in the rare instance you manage to lose a drive in less than five years it would be convenient, sure. Now I run erasure coded RAID arrays on most of my drives. So they're inherently unreadable as individual drives regardless if they're encrypted or not.
FigurativeLynx@reddit
Not quite. The array controller breaks up the data into smaller chunks that are then copied to the different drives, but everything within those chunks remains sequential. The chunks are almost always between 64KiB and 512KiB, which is more than enough to contain entire files or usable excerpts. Files almost always start with a magic number, and you can easily grep them and just read what comes after.
NeverrSummer@reddit
Well to clarify, it's not 2009 so there's no controller. I use ZFS and btrfs for this like a sane person in the 2020s. Sure data can be recovered in tiny snippets through a filesystem RAID 6 or Z2, but not in a way I find personally concerning.
FigurativeLynx@reddit
Every RAID has a controller, it's just that most controllers are implemented in software instead of hardware. By the way, filesystem-level RAID almost always stores complete files contiguously, even if they're larger than a typical chunk.
NeverrSummer@reddit
Boy that sure is a pedantic, unnecessary comment to make to a person who just told you they're 15 years into the same hobby you have. Good job bud, you got me.
FigurativeLynx@reddit
I thought that's what we were having, until you got confrontational. Anyway, I also make comments for uninvolved people to read them, so I'll just mention that you can easily recover contiguous files by grepping the disk for magic numbers. It's called file carving, and it's what a lot of file recovery tools do.
FigurativeLynx@reddit
The average person on r/DataHoarder has probably had at least 2 drives fail.
NeverrSummer@reddit
I've had five drives die over the last ten years, just never ones that were even remotely in warranty at the time.
FigurativeLynx@reddit
That's a fair point, I missed that detail. I've had 3 drives fail over the last 6 years, and 2 were within the warranty period.
devslashnope@reddit
This is an excellent point that the person to whom you responded has clearly not imagined.
MikeS11@reddit
Large hammer, drill press, use your imagination. Destruction should prevent all but state-level actors from recovering any data.
scottwsx96@reddit
Seems easier to just use encryption in the first place.
pee_wee__herman@reddit
How's a state-level actor going to recover data from a hard drive with platters physically damaged? They're humans, not gods.
nugatory308@reddit
A scanning electron microscope will read recently overwritten bits off of a shard of platter pulled out of the landfill.
The question is how much the data is worth to an attacker. No one is going to those lengths to set up an identity theft attack against you or me, but a national intelligence agency looking for clues about an organized terrorist group or a clandestine nuclear program will.
eras@reddit
And will your local computer store or hdd vendor be happy to process a warranty exchange on those remaining bits and pieces?
It can be a different case in business use, of course. Or perhaps one can just ignore warranty altogether.
AVonGauss@reddit
That's not necessarily going to work for solid state media and even some spinning media.
SynapticMelody@reddit
That is not sufficient with SSD drives due to wear leveling and data remanance, or even HDD drives when there's corrupt sectors. Best to encrypt the full drive to protect your data. Not to mention that houses can get burgled.
Festering-Fecal@reddit
I have always taken out the hard drives when selling or getting rid of a computer.
-light_yagami@reddit
as far as I know sometimes that's not enough and some data could still be recoverable
oneeyedziggy@reddit
Wait, y'all get rid of drives? I just hoard them.. I have a full 600mb magnetic disk ide drive from my first computer... And every drive since that was still functional... And I'm not worried about people paying for recovery operations on my non-functional drives really...
Good point about laptop drives though, but I'm generally at more risk from dataloss from getting locked out by not being able to drop the drive into another machine than a breakin (hell, idk if a burglar these days would even worry about grabbing anything bigger than a laptop)Â
EtiamTinciduntNullam@reddit
Desktops, TVs and monitors are lighter than ever, so they certainly will take anything valuable given the chance.
repocin@reddit
I thought burglars had more or less stopped grabbing TVs because they're way too bulky to move for the value compared to, say, a phone. I'm obviously no expert in burglarology but I would think that time is of the essence and small valuables are vastly preferable to 65" flatscreens and server racks.
Zeune42@reddit
"... my SSNs" đ§.
SocialCoffeeDrinker@reddit
I more mean family SSNs. Not personal lol
sxdw@reddit
Why not encrypt on a desktop? It made some sense to not encrypt 10-15 years ago when encryption happened in software, but that was a long time ago, now it happens in hardware and the extra electricity from running an encrypted drive is in the order of cents or single digit euro/dollar per year.
Nzkx@reddit
Because it's inherently slower IO than doing non-encrypted.
sxdw@reddit
You're talking about decades ago, nowadays encryption for consumer computers happens on the SSD controller and the performance impact is less than 1%.
The key is held in the SSD controller too, you unlock it with a passphrase (other options are available too). You can literally just put your SSD in another computer and unlock it with the passphrase. You can also store the key in TPM and setup secure boot (which is kind of a PITA, but it's worth it if you have sensitive data on a server) - physical access means nothing if the person doesn't have the (strong) passphrase.
Do you live and work in Fort Knox? If not, your home and office can be robbed relatively easily.
mrtruthiness@reddit
Not the LUKS encryption that gets set up during the Linux distro install time. Still, most CPU's support special AES instructions. Mine is an older processor and there is noticeable overhead. Newer processors should have very low overhead.
huskypuppers@reddit
Inside your head?
repocin@reddit
Huge pain in the ass if something happens to the machine and you lose your encryption key(s) though, so you'd have to find a good way to store those in a permanently accessible yet safe location.
Shikadi297@reddit
If you have this problem it means you're not backing up, which means you're far more likely to lose data from hardware failure or corruption
alexmbrennan@reddit
My encryption keys are on a post-it note taped to the computer because burning a piece of paper is faster than wiping the drive (if that is even possible with SSDs).
TCh0sen0ne@reddit
Fun fact: most SSDs have support for controller level secure erasion. Basically, the SSD controller has an encryption key installed out-of-the-box with which all memory blocks are encrypted on write. With ATA Secure Erase or its NVMe counterpart, the key is changed and all previous data becomes unreadable without having to rewrite all memory blocks. So it might even be faster to make data unreadable with SSDs
CyclopsRock@reddit
Hopefully this mythical burglar that's going to steal your data has a lighter with him then.
vexatious-big@reddit
Cornelius-Figgle@reddit
Assuming you have a lighter to hand.
What are you storing that would need to be destroyed in a hurry?
rdqsr@reddit
Imo the way Microsoft handles it for home users is the slightly better method. Windows users are given the option to back their Bitlocker keys up to OneDrive.
Now sure that basically nullifies any protection from a government agency just grabbing the keys from Microsoft, but it does over like 99% of use cases where someone just wants to protect their data from petty theft.
You could do this on Linux (e.g backing up the keys to a NAS) but it's not as straightforward.
scottwsx96@reddit
Lose your encryption keys? How? You forget the passphrase? Iâve never seen a real world scenario where an encryption key was simply lost unless it was on a single hardware dongle and even then only once.
Royale_AJS@reddit
Death tends to wipe out memories. Itâs good to have a plan and access to keys in place if others need access to your files after death.
Fair-Working4401@reddit
Backups?
Comfortable_Swim_380@reddit
Exactly. There are plenty better options to secure your data without making bare metal recovery one hell of a bad day for someone.
JRGNCORP@reddit
Aside the encryption (which is the way), what app or software to keep all those files? How often you backup those files?
SocialCoffeeDrinker@reddit
I sync files from my PC to my NAS and then replicate them to both Google Drive and iCloud. I additionally have an external drive that i sync to monthly.
Huge_Leader_6605@reddit
What's the downside of doing it for "home" computer?
AndrewNeo@reddit
Slower disk read/writes and higher CPU use for encryption/description, mostly
fin2red@reddit
What if a thief enters your house and steals your desktops/servers?
I encrypt all disks because I'm afraid of this situation!
The_SniperYT@reddit
You can use veracrypt or other tools
fin2red@reddit
Yeah I know. I use a mix of VeraCrypt and LUKS, in my setup.
The_SniperYT@reddit
Full disk encryption is pretty heavy on resources, so secure boot + locked BIOS might be a better option
RebTexas@reddit
Someone can just pull out your drive and put it into another machine
The_SniperYT@reddit
VeraCrypt for any sensitive data or home encryption
Festering-Fecal@reddit
They would find games and movies that's about it.
My desktop never has anything important on it.
Everything is also set to whipe like my browser when closing.
fin2red@reddit
Oh, ok. So where do you store all your personal photos and personal documents?
Don't tell me they're all in the Cloud :)
Festering-Fecal@reddit
Paper and photos and flash drives if they are sensitive.Â
Ok not a paranoid type I have pictures of me and my wife on my phone but anything that I think shouldn't be online it's hard copies.
I don't use Windows so I'm not terribly worried about plugging a flag drive in.
jr735@reddit
Exactly. I'd rather trust a thief with my data than Microsoft.
jr735@reddit
I encrypt what I need. Considering the trouble we see people having installing a Linux distribution when they want to use Linux, I can't imagine a thief running around with a Ventoy stick ready to browse your home directory after he steals your computer.
Mooks79@reddit
Yeah absolutely. Unless you have absolutely zero personal information on a device, full encryption should be considered mandatory.
NeverrSummer@reddit
I like how that was obviously a joke and this goober took it seriously.
Mooks79@reddit
I like how it obviously wasnât and this goober thinks it was.
fin2red@reddit
It definitely wasn't a joke, lol.
"I've nothing to hide."
Nah... I'm not a criminal, but I like to have my privacy.
NeverrSummer@reddit
Oh, well I stand corrected. It was so dumb I figured it must be sarcastic. I can't fathom actually worrying about someone breaking onto my house and stealing hard drives. Carry on with the paranoia I guess.
Mooks79@reddit
Well done, goober. Itâs also not dumb. The downsides of encrypting a desktop are massively outweighed by the risks of not doing it. Sure, itâs extremely unlikely that someone will rob you and steal your hard drives but, when the downsides of protecting yourself are so trivial, itâs idiotic not to. The same argument goes for locking your front door when you leave the house, or your car door.
NeverrSummer@reddit
Who said I didn't encrypt my desktop? I do, just not because I worry about house thieves. That was the part I thought was a joke.
Mooks79@reddit
Who said you didnât? But that doesnât mean burglary isnât one of a number of reasonable factors for doing so.
NeverrSummer@reddit
You implied I didn't with your previous comment, and I mean agree to disagree I guess.
Mooks79@reddit
I donât imply anything, you inferred, erroneously so. I think considering burglary as one possible reason to do it is entirely reasonable and itâs pretty non-sensical to argue otherwise. Again, the downsides of doing so are so low and, although the chances of it happening are low, the potential harm is extreme so that you ought to. Itâs a pretty trivial risk based decision.
fin2red@reddit
It only needs to happen once. That's literally what I value the most in the contents of my house. Everything else I can get again. My privacy, once leaked, I won't be able to recover it.
NeverrSummer@reddit
My threat profile for data encryption is warrants, not house thieves. The latter doesn't concern me.
NeverrSummer@reddit
Okay so now that the original guy confirmed it's a joke you didn't get... just going to leave that comment or what?
scottwsx96@reddit
IMO you should always use disk encryption in 00% of cases. The burden of use is very low and you protect your data in the cases of burglary, improper disposal, etc.
The argument against encryption is far weaker than the argument for.
Witty-Development851@reddit
Form whom are you hiding in home?
1stRoom@reddit
Yes. No exceptions.
Sdgtya@reddit
I had a mentor who would always say âwho are you trying to protect your data against? If itâs the Mossad, you wonât stop them. If itâs not Mossad, you donât need to worry.â
Take away being - focus on security mechanisms that make sense. My NAS that holds my backups is encrypted, my work laptop and personal laptop I encrypt, but my workstations/homelab? Have fun with my shitty bash scripts and config files buddy.
nicholas_hubbard@reddit
Yes, because it's easy to setup and I think encryption is cool and interesting.
JagerAntlerite7@reddit
Being unwilling to clutter my desk with a wired keyboard, I am consciously trading convenience for security. I use a Bluetooth keyboard for my desktop. Because the drivers are not loaded yet, there is no way to enter the password.
voidfurr@reddit
If only Linux could be a microkernel
JockstrapCummies@reddit
Yeah, it's a paint point. Technically one should be ble to include the Bluetooth stack to the initramfs, but the need for pairing means it won't be straight forward.
I think the easiest way for initramfs cryptsetup unlock to work wirelessly is to use one of those USB-dongle wireless keyboards instead of Bluetooth.
CmdrCollins@reddit
Pairing information is easily portable on Linux and can be shared with other environments by copying (or mounting)
/var/lib/bluetooth.initramfs-toolson Ubuntu doesn't ship with support for it by the looks of it, but other initramfs generators do (egdracut).MdxBhmt@reddit
https://github.com/maxchehab/Remote-Linux-Unlocker
maybe?
rfrancocantero@reddit
Dropbear ssh
Hard_Purple4747@reddit
Had my laptop stolen from my dining room table. Bulk encrypt since then. Yup, I have to enter my password on boot up and then to log in, but I feel much safer.
lproven@reddit
No, never, unless mandated by company policy.
This is why...
https://xkcd.com/538/
quicksand8917@reddit
It all comes down to thread modelling. Encryption mainly protects from a burgler/thief going through your files as well as police to a certain degree (good enough for journalists and political activists in many legislations, it has been proofen to work in Germany at least).
nicman24@reddit
The hammer one?
lproven@reddit
I think it's a $5 wrench. đ
Exact-Teacher8489@reddit
There are 0 reasons to not use encryption. đ€·ââïž
Vogete@reddit
For home servers, I have a reason. If I don't have TPM (which I don't), it makes restarting computers impossible without a KVM, which I don't have either.
bigntallmike@reddit
With a little effort (on Linux) you can put the key for luks on an external USB device and plug it in before reboots.
ChrisTX4@reddit
Thatâs not quite true, there are solutions booting up an SSH server during initramfs for entering the key remotely or using network bound encryption via Clevis.
Also, this is probably a niche situation, as all consumer hardware since 8th generation Intel, ie around 2018 hardware, have TPMs in firmware. So youâd need pretty old hardware to have that concern.
Vogete@reddit
You're right, I forgot about Clevis. I've been meaning to set it up, but I haven't got around to it yet. And also it's a pain in the ass to encrypt drives after it already has data on it. The ssh-ing part is not really gonna work for me for a few reasons, but Clevis would solve the issue.
I have however hardware with earlier than 8th gen intel, without TPM in it. So TPM isn't an option for me. Well it is on one of my servers, but not the rest.
kholejones8888@reddit
Uh needing to reboot unattended absolutely is a good reason not to use full disk encryption.
ipaqmaster@reddit
I solved that problem for myself. Mine can reboot on their own.
kholejones8888@reddit
This is cool as fuck, hashicorp vault is hot garbage BUT no this kind of thing does work and is what I would do
ipaqmaster@reddit
Their UI experience sure could be a lot better.
I also wanted to try implementing Duo security (MFA) so that the these machines would cause a push notification to be sent to my phone to approve or deny their Vault login. But it seems that is a Vault Enterprise feature. Not for free.
Zathrus1@reddit
There are numerous ways to do fully automated decryption in a secure manner. They all work through clevis/tang.
You can do TPM, network based encryption, hardware keys (really just a variation on TPM), or a combination of these.
But I absolutely agree with you for individual systems, or small scale deployment. Like many others, my laptop is encrypted, my home server isnât.
kholejones8888@reddit
No one actually uses a TPM that way in production. Itâs not a thing.
ChrisTX4@reddit
Why not? This is by the way the default way Windows 11 uses for setting up disk encryption, which is also done by default for new installations.
Thereâs little reason not to do this: the idea is that if set up correctly, only your specific kernel image can boot and thereâs no way to modify the system in any way. The security is then tied to accessing the booted system. If set up correctly again, youâd use eg usbguard to minimise attack surface.
Which part about this wouldnât be safe to use?
kholejones8888@reddit
Oooh boy so youâre mixing up different concepts here with regard to boot security and I donât feel like teaching today.
Storing the bit locker key in the TPM and automatically unlocking the root drive IS the default and I think itâs basically useless. When you go over the threat model, it makes very little sense to even do it, except for needing a rubber stamp for encryption at rest.
ChrisTX4@reddit
No I donât. A TPM measures the boot, independent of secure boot. You can use the secure boot status (PCR 7) for TPM unlocks but youâre free to use others as well, like PCR 11 with current PCR policies.
I think you donât really understand how a TPM works. A TPM only unseals the key if those boot measurements have correct values in their PCR banks.
With Secure Boot status for example, a TPM only unseals if secure boot is enabled and the chain of keys to the bootloader meets an expected value. So it pins the key is what Iâm saying.
kholejones8888@reddit
Ok so here we go.
Step 1) I take your laptop. Step 2) the tpm unlocks your drive Step 3) profit
Any questions?
ChrisTX4@reddit
You're completely misunderstanding how this works. The idea of a TPM is to ensure that the secret is unsealed only if the boot is measuring as expected. That is to say, a TPM does work automatically, however only if the boot image is unmodified.
In such a situation as you describe, the TPM does unlock the laptop, but only a minimal attack surface is being presented after the boot at the password prompt. If implemented correctly, USB devices are being refused during this phase etc. You'd have to break the password of the user without any assistance whatsoever.
kholejones8888@reddit
Whatâs stopping me from making the same syscalls and getting the key out myself?
A strategy where the TPM requires user input to unlock the key is fine and doesnât have an issue.
Thatâs not unattended boot from a server, which is what Iâm arguing about.
Itâs not actually fixing anything. Which is why no one fucking bothers. Encryption at rest in like SaaS land is a lot different and the turtles problem gets distributed.
ChrisTX4@reddit
How are you making syscalls? How are you getting on that system? The model for a TPM is to protect the system from being modified in any way.
kholejones8888@reddit
I stole your laptop. I am the system.
ChrisTX4@reddit
No, because you can't access any of the files or modify them, and you're now stuck at the login screen. There's no way in the system.
kholejones8888@reddit
Generally DMA and cold boot attacks. Itâs physical.
The way that NSA did it 15 years ago for servers was PCIe.
A server is gonna boot. Itâs gonna do stuff. You have a lot of opportunities. And on LINUX, I have no guarantees you did it right. Windows prevents me from dumping bitlocker keys by checking the environment and making sure the PCR registers all look right. Whatâs this person doing for Linux?
I do not think it is anything more than brittle rubber stamping.
ChrisTX4@reddit
"Cold boot attacks" are exactly what a TPM prevents. You can't do anything to modify the system.
As for DMA: That's what IOMMU is for. DMA protection is a thing that exists nowadays.
This is completely wrong. The PCR registers aren't being checked by Windows, they're being "checked" by the TPM in that they're being used to unseal secrets. For Linux, how this looks exactly depends, but in the simplest use case, you use a Secure Boot setup with your own keys and sign the kernel in the form of a Unified Kernel Image (UKI) with it. In that case, the PCR 7 would only match anything signed by that same, owned key. An attacker could not get something to boot that is modified or attacker controlled.
redd1ch@reddit
TPM does not matter in cold boot.
You start the system, wait for the login screen to come up. Then you power it off, and extract the RAM. Then all you have to do is search for the disk key. Congratulations, now you can decrypt the disks. No need for any TPM of the target system.
This will work as long as the decryption is handled on the CPU. You always will need the decryption key in the RAM.
kholejones8888@reddit
So youâre relying on running operating system configuration and hoping that DMA is configured correctly, when you COULD have used a password.
ChrisTX4@reddit
This isn't really a hope. You add
intel_iommuoramd_iommuto the kernel parameters and that's that. Kernel DMA protection (kDMAp) is a feature since kernel 5.0.kholejones8888@reddit
So like my thing is, ok, letâs say you have a unified kernel and you are signing the whole thing, including bootloader config (cause you arenât really using one) with MOK. I donât know how I would mess with that.
But most people use binary kernel. I can just edit bootloader config. Right?
ChrisTX4@reddit
This is why the whole shebang is done with Unified Kernel Images (UKI). UKIs are an amalgamation between at least the kernel, the initramfs and the kernel parameters. None of these can be modified in UKI boots - you can't edit the kernel commandline.
Zathrus1@reddit
Iâll tell my Fortune 500 customers that do this theyâre wrong.
kholejones8888@reddit
Literally no one is doing it in SaaS maybe you told them it was a good idea and they listened to you?
Zathrus1@reddit
Or, maybe they know better than you?
One did it to recoup an estimated seven figure disk annual drive cost because they couldnât take advantage of warranty.
But, please, keep telling me how my actual customers donât do this thing. Itâs funny.
kholejones8888@reddit
Oh so you did this to meet some encryption at rest requirement, not an actual threat model?
Oh cool good job stamping with rubber
sxdw@reddit
I see it as a good reason to have TPM.
kholejones8888@reddit
Thatâs not how it actually works. Think about it for a little while.
sxdw@reddit
It does, with UEFI secure boot and sshd in initramfs. You do have to enter the password, but you can be on the other end of the planet.
kholejones8888@reddit
No one does that.
sxdw@reddit
I do it. My servers never reboot unless I make them, so it's not an issue.
FoxTrotte@reddit
It disables deep sleep
daemonpenguin@reddit
That's just silly. There are lots of reasons not to use full disk encryption. Unattended updates, upgrades across distro versions, performance, needing to share the password with family members, etc.)
that_leaflet@reddit
I don't see much reason not to.
You can avoid having to enter your password twice by turning on autologin in your Display Manager. Or you could use a TPM-based solution for automatically unlocking the disk.
Though I think, though many experts seem to disagree, TPM-based auto unlocking is worse for security than entering a password.
Normal-Confusion4867@reddit
TPM definitely has downsides and exploits, but encryption with TPM is probably better than no encryption at all. Agree about the password thing, but getting rid of the friction to having an encrypted drive is probably a good thing.
that_leaflet@reddit
Oh it's definitely better than no encryption. But still, it's good to be informed that TPM is not perfect, even though it's often regarded as better than password-based decryption.
Normal-Confusion4867@reddit
Absolutely, if you want the best security, go password, or even better Veracrypt if you want protection against rubberhose cryptanalysis [relevant].
that_leaflet@reddit
What does veracrypt do to protect against the wrench?
The only thing that comes to mind, that I believe GrapheneOS offers, is a fake password that when entered, wipes the device.
Normal-Confusion4867@reddit
You can install an operating system inside a hidden volume.
https://veracrypt.io/en/VeraCrypt%20Hidden%20Operating%20System.html
that_leaflet@reddit
I think the GrapheneOS approach is better.
For Veracrypt, if you give them the decoy password and they suspect it is a decoy, they can keep wrenching you until you give them the real one. And as a side note, it would suck really bad if there was no decoy OS but they didn't believe them.
With GrapheneOS, if you give the wiping password, the device is simply wiped. They know it was wiped and know it is no longer possible to get the data from it. Therefore wrenching you is no longer necessary.
tblancher@reddit
Not so if you do it right. You need to set an admin password in your UEFI BIOS, and require that password to boot off removable media.
Then, set up Secure Boot with a Unified Kernel Image, so the kernel cmdline can't be edited. That will make the TPM unlocking the LUKS2 container secure enough. If the drive is removed, they'd need the recovery key or passphrase to unlock it.
that_leaflet@reddit
There are ways to work around the TPM. And even if you don't work around the TPM, there's a big problem. The system automatically decrypts the disk and boots into the OS. At that point, there's a much wider surface area for vulnerabilities that could be exploited in order to access your now-decrypted data. Even OSs with a high level of boot chain integrity checks and integrated security features, such as iOS, MacOS, and Android have exploits. Law enforcement and groups like Pegasus utilize these exploits to break into locked devices.
Meanwhile, a standard disk encryption password is simply math. You put in the right password, the math checks out, disk gets decrypted. If you don't have the password, you have 3 choices: trick the user, apply wrench to user's shins, or bruteforce it. (Also sidenote: 1 and 2 also apply to TPM; the disk is still encrypted by a password which the user is supposed to store safely for recovery reasons; and in the case of Windows, the bitlocker key is stored on OneDrive, accessible to Microsoft and therefore anyone who demands it from Microsoft). The surface area is much lower here, the data is inaccessible because it's all encrypted.
I would also like to point out that using a disk encryption password doesn't rule out using TPM. You can use both, achieving an even higher level of security.
pfp-disciple@reddit
Here I am with a home computer apparently from before TPM (about 13 years old, if I'm recalling correctly).Â
craigmontHunter@reddit
TPM is better than nothing, but any chink in the armour (misconfigured grubâŠ) is a way in. Password is better but less convenient, especially for systems that may need to be remotely restarted.
Professionally all my systems are encrypted with TPM unlock, mostly for the remote reboot capability. Personally my laptop is encrypted, but my desktop isnât, mostly because it only supports TPM 1.2, which doesnât support auto decrypt last time I checked.
josemcornynetoperek@reddit
Yes, encrypted laptop disk, since a half year I'm encrypting whole disks even in remote servers.
snorixx@reddit
A few days ago I tried setting it up on arch but failed there will be a second try soon but as answer not yet.
thecause04@reddit
Of course I do. Why wouldnât I? Who doesnât do this? WHY DONT PEOPLE TAKE SECURITY SERIOUSLY WTF???
arugau@reddit
if you carry it around, its a good idea to encrypt it
think like this, how likely it is that someone other than yourself will get the hands on that disk
also, how exposed are you to ransomware?
Drate_Otin@reddit
I do, because why not?
Secris@reddit
I am personally using systemd-homed with luks encryption. Encryption of the home folder is sufficient for protection of my personal data.
kombiwombi@reddit
I use it ivia a TPM and the clevis pin. So the laptop boots without intervention but if the drive is removed it can't be read.
TechManWalker@reddit
Because yes, mostly
Long answer:
I don't want my pay gorn stolen
UnassumingDrifter@reddit
Did I always? No, but now that LUKS is setup and working out-of-the-box on many distro's there's no reason not to.
One thing I have not mastered is having TPM automatically decrypt my drives. All of my Linux machines (Tumbleweed or CachyOS) require a password at boot. On my servers I can't have this. Thankfully the data itself is backed up. My Synology NAS is encrypted, and my backup servers encrypt the backups, so I'm hopefull I'm good.
DarrenRainey@reddit
FDE everything expect for a few backup drives with old family photos/non-senstive info etc. I keep some stuff unencrypted mainly to increase the chances of data recovery if the drive fails and my backups are out of date.
EtiamTinciduntNullam@reddit
I believe drive encryption does not affect chances of data recovery as long as keep backup of the encryption header.
DarrenRainey@reddit
Personaly I still wouldn't risk it since if that header gets corrupt theres basically no way of recovering the data past brute force.
Allot of the plaintext stuff I store is non-senstive stuff / stuff I'd like to keep around and not worried about in terms of security e.g. a USB hard drive stored in a safe etc. which could bit rot over time.
EtiamTinciduntNullam@reddit
If you've backed up header (you should!) then it is trivial to recover.
If your header is corrupted and you do not have a backup then brute-force will not help, as it's basically impossible to guess the master key (you might be lucky though!).
Doesn't BTRFS help against bit rot?
DarrenRainey@reddit
That is true but at the same time the stuff I'm storing unencrypted would mostly be stufff like family photo's where convience would be the main factor. You don't want to explain to your family how to mount and unlock a LUKS volume when they're used to just plugging in a NTFS drive to their windows machine.
As for BTRFS there are mixed opions on it over the years with some distros embracing it and others depreacting support for it. ZFS is my go to for NAS storage.
bigntallmike@reddit
If you threw out the device for any reason and couldn't or simply forgot to wipe it first, would it be bad for you? Personal information, work internals, other people's personal information, banking etc.? If so, encrypt the drive.
Ripped_Alleles@reddit
Desktop no, laptop yes.
Lasivian@reddit
The vast majority of data doesn't matter. Encrypting everything, especially when there's nothing there worth encrypting, is just wasting time and energy.
MrKusakabe@reddit
Yes, simply because I am paranoid and I DualBoot. I do not want other OS (or the spyware that comes with games) to forage into my Linux disks..
benhaube@reddit
I encrypt every drive I own.
thisisnotmynicknam@reddit
50/50 - on my desktop I have a ecrypted ssd, but isn't were is root or home, just for sensive data, is really annoying decript at every boot.
countsachot@reddit
I use luks, full disk encryption
mrnavz@reddit
Depends on your threat model. but alternatively you can just simply encrypt home directory, it gives you a good balance between security and performance. again that depends on you!
BlakeMW@reddit
Not full disk encryption. Out of an abundance of paranoia I do have an encrypted folder where I put things like those codes you can use if you lose your 2FA.
Bonus: 99% of the time it's not unencrypted because I only do that on an as needed basis.
githman@reddit
My home PC has a Veracrypt volume for sensitive documents. The rest stays unencrypted since I fail to imagine a practical scenario where it could matter.
My phone is of course encrypted.
gsdev@reddit
I think the easiest option is to just create a small encrypted partition on your disk. Any sensitive files can be stored there, without changing anything else on your machine.
trusterx@reddit
Yeah on my laptop using tpm2 for transparency unlocking at boot, so that my data is safe if the device gets lost or stolen.
CalliNerissaFanBoy02@reddit
On my PC no. There is no data on there that I care about getting into the Wrong hands. I dont care if bad guy steals my Game Saves of Witcher 3 and Factorio. The most embarising is the Factory Spagetti.
My nas tho that keeps all my Data? Yes Disk Encryption is on.
My Laptop? Also has DiskEncryption.
_Sgt-Pepper_@reddit
For computers that are mobile, i always use encryption.
For workstations i sometimes do sometimes dont.
I think its better to use encryption on a workstation as well, no headaches when finally pouting the drives into the dumpsterâŠ
da_peda@reddit
Yes.
PapaOscar90@reddit
I encrypt what needs to be encrypted. If they want to scrape some movies off the drives or some game files they can help themselves.
iamdestroyerofworlds@reddit
Yes. On all devices.
skincr@reddit
Do you use locks on your outside door? Do you lock your car? I was lazy and didn't encrypt the USB drive I was backing up my personal files to. The whole documents, personal photos, etc. I thought I wouldn't lose it or that no one would steal from me. And I lost it.
FryBoyter@reddit
Virtually all of my data carriers are encrypted with LUKS/dm-crypt because I simply don't want third parties to have access to my personal data. For example, if someone breaks into my home and steals my hardware. Or if I leave my notebook on the train.
Auto login.
In order to use encryption as efficiently as possible, the CPU must support AES-NI. To my knowledge, this only applies to the Raspberry Pi 5.
TheOneTrueTrench@reddit
Yes, everything.
ZFS native encryption, the only thing not encrypted is my ESP, and I have to enter a password at boot to unlock everything.
Everything is backed up to my backup server encrypted, not with the source encryption, but destination encryption.
TheWorldIsNotOkay@reddit
I use full disk encryption. On my laptop as well as my phone. I taught at a local university for a couple of decades, and did basically everything on my laptop. Teachers are subject to potentially significant fines under various laws like FERPA if they don't take adequate measures to secure student information, and full-disk encryption was an easy way to make sure that data was safe even if my laptop was lost or stolen.
Even though I don't teach anymore, I still use encryption. The way things are going currently, there's no telling if/when I might get stopped by the authorities for some arbitrary reason, and I don't want some glorified mall cop on a power trip going through my personal devices looking for a reason to press charges. It sounds paranoid, except that that exact thing has happened to people I know just for being bystanders at a protest.
rayjaymor85@reddit
Yep.
Don't get me wrong, if my gear gets stolen it's probably by some meth-head who wouldn't even know how to turn it on.
But the person who buys it from him on Marketplace or eBay could be a different story.
MelioraXI@reddit
On a personal desktop I donât see a reason. If it was a laptop and I traveled, absolutely
Lurksome-Lurker@reddit
Not disk encryption but encrypted containers using veracrypt in odd places in the system files. Nothing massive just 100mb containers here or there. Traveling overseas in certain places itâs considered suspicious if you have full disk encryption and you might be compelled to decrypt. Conversely, if they poke around and notice itâs unencrypted and you donât give them any reason to look further, odds are you will be passed on through.
The goal afterwards is to use the small encrypted containers to establish a secure connection via vpn to access encrypted cloud storage with the actual sensitive information
BIRD_II@reddit
Nope. If someone's able to access and steal the drives from my PC, that loss to me is big enough that I don't really care whether they can access stuff or not.
And for my laptop, it has basically nothing stored on it.
Tofurama3000@reddit
TL:DR Currently, yes because the downsides arenât as bad as they used to, historically no
Historically, no. Iâve had enough boot partition corruptions from dual booting (thanks Windows) that I want a way to easily recover my data (both on my Windows partition and my Linux partition- both have had issues). Also, Iâve had to deal with enough relatives Windows install not booting after an update and me doing data recovery/backup through live usb before trying to fix windows that it scared me off of using encryption for a long while. Also, itâs really convenient to just mount the other OSâs partition to copy a file over rather than rebooting, copying to USB/cloud, and rebooting again.
That said, Iâm slowly starting to adopt more encryption. Windows has pushed it a lot more, and itâs a lot more robust than the early Bitlocker days. Plus, automated cloud/network backups are a lot easier to setup (Windows comes with OneDrive which can be attached to Linux with Insync, plus thereâs Google Drive, etc), a lot more cloud/network centric workflows (eg Github), and a lot more reliable OS and hardware developments that those concerns are a lot less practical. I havenât had to rescue family member data for almost ten years now (at least not past the extent of resetting their Microsoft account password so they can get onto OneDrive again). And my important working files are on a network so I donât need to access the other OS partition when dual booting. So, thereâs much less of a reason not to (at least for me anyways)
National_Way_3344@reddit
I've been known to use LUKS encryption and Tang.
LesStrater@reddit
I encrypted my Home folder for a while, but it added another 40 seconds to my bootup time, so I got rid of it. I use a different security now.
dobo99x2@reddit
Don't need. Have a good Password manager, secure everything with a vpn or reverse proxy and then there's not much to worry about.
zeanox@reddit
what?
zeanox@reddit
I encrypt all my systems and disks (even USB disks). To me it's the same as locking the door, when i leave my home, i'm just not comfortable with the idea that people could get unwanted access to my files.
I don't really see any downsides to doing it, other that potentially losing access to a method of decrypting the files (i do have solutions for that however).
tibby709@reddit
I did, then I realized I had to enter password twice to get into the computer. Shag that
Goof_Guph@reddit
I would likely have been able to recover a hard drive and have a few bitcoins if it wasn't for encryption. Also lost family photos because couldn't recover a drive that was also encrypted. yes I know backups... but still they over complicate things and drives do get small errors which turn little problems into big problems. Unless its high enough value where raid + reliable tested encrypted backs is worth it, don't bother
ipaqmaster@reddit
All my desktops and laptops servers use ZFS native encryption at rest.
When a drive of mine moves on for any reason (Usually: failure) I don't have to worry about trying to wipe them after the event. The data on them was never written in plaintext and cannot be recovered.
If my laptop, desktop or a drive right out of a server get stolen I don't have to worry about the data on them being recovered for evil reasons such as session stealing or attempting to crack and read out my password vault.
Even for Windows users I'd always recommend enabling Bitlocker these days (And backing up that key somewhere safe, at least to the microsoft account associated with the machine). Especially for Laptops which can get yoinked.
Encrypting is a transparent safety precaution which has little excuse to avoid these days.
DFS_0019287@reddit
I don't do disk-level encryption, but I have a gocryptfs directory that I keep some sensitive things in.
felipec@reddit
Nah, I don't use encryption, I used to in the past, but I found there's no benefit.
My passwords are encrypted in my machine, so even if my laptop is stolen there's no sensitive information they would have access to.
domragusa@reddit
Where I have full disk encryption I use secureboot and memorize the passphrase in the TPM module so it doesn't ask me anything, see systemd-cryptenroll.
I would say you should define your use cases and then decide if you need FDE for specific threats; for example, I use FDE on my laptop because it could be stolen or lost and I want to be sure nobody can access my files. On my NAS (a rockpro64 with debian) I don't use encryption because I don't think there's any need for it, it would be a hassle (I think I should connect to the serial interface and input the password for every reboot) and I suspect it would tank the performances of the little guy.
recaffeinated@reddit
I encrypt all my devices except my server. I enter two passwords on boot, and shut my devices down whenever I leave the house.
ArrayBolt3@reddit
Disk encryption will not protect you on a shared device. While the device is powered on the disk and has the key in memory, the disk is effectively decrypted and all users can see all files that file permissions allow them to see. If you want to keep users on the same machine from accessing your files, file permissions are the right tool to use there.
I generally do use disk encryption, using LUKS2 with an 8-word encryption passphrase and Argon2Id passphrase hashing (this approximately 128 bits of entropy assuming a 65,536-word dictionary to choose from, and Argon2Id makes the cost for each password test very large, thus this should be unbreakable with current technology). Only my root and home disks are encrypted though, I keep data that I don't consider sensitive on an unencrypted second disk for the sake of input/output speed.
lKrauzer@reddit
I don't, my PC is basically a console, no sensible data on it, purely for gaming and browsing
Slight_Manufacturer6@reddit
No. I am more afraid of losing my data than someone coming into my house and physically stealing my data.
SynapticMelody@reddit
Use a password you won't forget and practice good backup procedures. Even a basic password is better than no protection and will thwart pretty much any basic thief.
Slight_Manufacturer6@reddit
If someone is in my house, what is on my desktop is the least of my problems. There are so many ways to lose the encryption key to a system. Failed TPM chips is a common one I have seen.
What do you store on your desktop that is so top secret anyway?
FineWolf@reddit
What I've personally done for systems that rely on TPM encryption for LUKS is add a password keyslot (the password is used to derive a key, so it's not as weak as you think it is, especially with a proper password), use
cryptsetup luksHeaderBackupto have a copy of the LUKS header with the password keyslot, then delete the password keyslot.Store the header backup somewhere safe.
If your TPM fails, you then have a way to recover the data.
r4t3d@reddit
Why would you lose your data by using encryption?
Slight_Manufacturer6@reddit
If the encryption key gets lost. Iâve seen it happen a few times.
scottwsx96@reddit
A few times? I call BS. Please explain the scenarios. Iâve been using FDE for 15 years at home and at work and have never seen it happen except on user-encrypted USB devices, which are nearly obsolete anyway.
Slight_Manufacturer6@reddit
Iâve been in IT services providing IT services to a couple thousand PCs for over a decade. You see a lot of things in this line of work. Iâm not just managing my home computers.
scottwsx96@reddit
Iâve been in tech in IT and security for 25 years, in regulated individuals as well. Never once seen or even heard of TPMs losing keys except from you.
Slight_Manufacturer6@reddit
You are correct that the risk of disk failure is way more common and that is what backups are for⊠but when you donât store anything sensitive on your personal home desktop, what is the benefit to encrypting?
If it is important or critical, it is stored on the NAS and replicated to other locations. It isnât so much the loss of critical data being lost but the pain to restore the less critical data.
scottwsx96@reddit
What is the benefit to not encrypting? I said elsewhere in this thread that the argument for encryption is far stronger than any argument against.
Slight_Manufacturer6@reddit
Well, pretty much the only thing I do on my home desktop is play Steam Games.
Sometimes I will do a little graphic editing but that gets saved on the NAS and it is pretty much just for fun.
Pros/Cons of encrypting the drive
Pros: I can't come up with any Pros for my use case... There isn't anything worth protecting from theft. I can give you a copy of my drive if you want... doesn't matter.
Cons: If the encryption key gets lost, for example, the TPM gets corrupt or malfunctions, I lose all the games. It isn't a permanent loss, as I can just login to Steam and download them again but the time to download all those games again would be a huge time suck.
So, really, I see no point in encrypting my home desktop.
friskfrugt@reddit
Tell me you have no backups without telling me you have no backups
Slight_Manufacturer6@reddit
I do. I use UrBackup backup doing full system backups (and PBS for Proxmox servers) to a Synology NAS and then backed up to the Synology and then replicated to the Synology cloud , but I would rather not rely on a backup if I donât have to. They are there more for disaster recovery purposes.
friskfrugt@reddit
Like TPM crapping itself
Slight_Manufacturer6@reddit
Sure⊠if I am encrypting my drives. But if I am not encrypting them, it makes the restore far easier.
Now you get it.
necheffa@reddit
I'm not entirely sure what you are doing but it is best for everyone if you stop providing advice on encryption and backups.
At no point should losing access to a key be any different than suffering a house fire or something along those lines, in terms of data recovery.
FattyDrake@reddit
If the backups aren't encrypted it doesn't make sense to encrypt the originals. If you're likely to forget an encryption password, encrypting backups has the same problem.
Slight_Manufacturer6@reddit
It isnât the encryption password I see get lost, itâs the encryption key often due to an issue with TPM.
FattyDrake@reddit
True! Tho I've seen non-TPM keys get lost due to accidentally being erased without backups.
I guess the takeaway would be backups are generally a higher priority than encryption.
Glittering-Dog5380@reddit
Tell me you are hiding child porn on your computer without telling me you are hiding child porn /s
theksepyro@reddit
I myself have lost an encryption password before and don't trust myself not to be a moron again
DudeWithaTwist@reddit
That's why you have encrypted backups stored elsewhere. A TPM failing is less likely than a drive failing.
Slight_Manufacturer6@reddit
Less likely, but it does happen and Iâm not storing any top secret stuff on my home desktop anyway.
DudeWithaTwist@reddit
Fair enough, but if you're worried about losing data you should just be backing up anyway.
Slight_Manufacturer6@reddit
Backing up is always important, but Iâd rather not have to rely on that if I donât have to⊠far better to retain the original when possible.
Itâs a call everyone needs to make for themselves. All IT security is about balancing functionality with data protection and business continuity.
Ok_Pickle76@reddit
I don't use disk encryption because i have a desktop PC. If someone I don't trust is in my house and has access to my PC, my disk is the least of my concerns
thatgeekfromthere@reddit
Everything gets encrypted with Luks. Delete the key and the disk and itâs as good as destroyed via a drill press
SaintEyegor@reddit
If the device doesnât support native encryption we use LUKS.
FunAware5871@reddit
Personally I go for encryption whenever I can. It's always nice to know no one can access my personal data or backups.
The only unprotected devices I keep unencrypted are the pi I use for media playback (I want to be able to turn on without pugging in a keyboard) and my steam deck.
lelddit97@reddit
Yes, I use encryption on everything. I have money and there is all sorts of valuable data on the filesystem. The odds of encryption mattering are like one in a million, but that's a high enough percentage for me to do it.
RearAdmiralP@reddit
When I weigh the probability and impact of someone else gaining access to my hardware, reading the data off storage, and using it to harm me against the probability and impact of me being unable to recover encrypted data on my own system after some kind of fault, I generally come down on the side of "no encryption".
Royale_AJS@reddit
Yes. Everywhere, on everything.
varsnef@reddit
I would use encryption for this reason. I would want more than what file permissions can provide.
qrushless@reddit
So another program couldn't encrypt it.
atiqsb@reddit
When you are using Unix/Linux unless you're a tycoon or high profile high net worth person you think a pretty thief will try to extract your data and try to educate what filesystem you are using and meddle with your OS? I don't think so!
If you don't have high stake data maybe spare the pain?
IrrerPolterer@reddit
Yes. Cause a bunch of my client's data is on that laptopÂ
SouthEastSmith@reddit
What do you mean by a shared device?
Do you mean having multiple logins to the PI?
Or do you mean sharing an external hard disk?
I didnt know Fedora would install on a PI.
I would not encrypt your disk since it seems you are just getting started.
Maykey@reddit
Nah. My laptop is greedy for energy already, I don't want to spend even 0.1% of its battery in exchange for inconvenience.
If my laptop will be stolen, I expect it'll be sold, not browsed.
FunnySmellingCousin@reddit
For my desktop? Not really, if someone gets unauthorized access to the hard drive that is in my house I will probably have bigger problems to worry about.
For my laptop? Absolutely
DPD-@reddit
One day I booted a live linux on my friend computer, chrooted on his drive, created an hidden user with sudo access, and created an ssh key. I used it to make him some pranks. Imagine if I was not a friend but an ill-intentioned. Encryption would have prevented this.
nicman24@reddit
I mean I don't know that thieves know what zfs is, so that is a defacto encryption lol
DPD-@reddit
Encryption is not only useful to prevent data being stoled, but also for security reasons. It is told that the only safe computer is the one powered off, but I say neither it is safe. For example one could boot a live linux and chroot in your drive, being effectively root on your computer! Obviously if the drive is encrypted this is not possible. So yes I always encrypt all my drives: the ones with data (and backups) as well as the ones with system.
duxking45@reddit
The short answer is no. I have borked a piece of hardware multiple times and had to do disk forensics to get my data. (I should backup more, but I never do.) It then just adds another step to get around.
SynapticMelody@reddit
Not encrypting doesn't save you from data loss if you don't practice basic backup and recovery procedures and simultaneously compromises security for a only slight increase in convenience.
duxking45@reddit
I understand critical stuff is backed up to the cloud I just don't do it as diligently as I should
Fabulous_Silver_855@reddit
I use full disk encryption because I value my privacy and security.
Fabulous_Silver_855@reddit
I use full disk encryption on my laptop and my desktop.
DarkeoX@reddit
It's such an easy thing to setup that just keep working that I don't really see why not. I/O hasn't been a bottleneck for me and CPUs have accelerated instructions for it so for me it's standard part of a setup.
justargit@reddit
Yes. Every single one of them.
If I mess up and forget a key then oh well, I deserve it. Losing my key has happened before and does it suck...not really. Use a password manager and a yubi key. Go put recovery keys in a safe or safety deposit box at the bank.
It is vital that everyone keeps good security in mind. It might seem like a pain but once you get used to it then it will become second nature and it won't bother you.
Learning to tie your shoes was a pain when you first had to learn it. First you have to put socks on, put your foot into a shoe and start wrapping 2 strings into a weird knot...it seemed like a lot until you did it all the time.
mrlinkwii@reddit
dont use it , i dont enable enable password on boot , because its a desktop and its not moving anywhere
FattyDrake@reddit
True! I've seen non-TPM keys get lost tho due to being erased unknowingly without backups of those too.
I guess whatever the case is, backups are generally a higher priority than encryption.
Comfortable_Swim_380@reddit
I think it is better to encrypt sensitive data not the drive personally.
Adorable-Fault-5116@reddit
Yes, on everything. Even my gaming desktop PC. It's accelerated these days, so basically transparent performance wise outside highly specific benchmarks.
On linux specifically, I use LUKS and type my password on boot, then have KDE auto login.
jlobodroid@reddit
Complicado para servidor, hĂĄ um modo de habilitar a criptografia remotamente, mas vocĂȘ tem de fazĂȘ-lo manualmente, eu uso em tudo que Ă© possĂvel usar, por hora LUKS/VeraC/BitLocker, mas pretendo testar o TPM no Linux para ficar mais prĂĄtico, e o critĂ©rio Ă© sempre se vocĂȘ tem informaçÔes confidenciais/sensĂveis no HD
AmarildoJr@reddit
I use LUKS on LVM, which is why most distros are a NO for me since some idiot decided to encrypt the boot partition as well which made the boot process moronic since you need to input the password once for encrypted GRUB (which takes 40 seconds to decrypt, because the people behind it are brainless) and once for the encrypted LVM setup.
sniff122@reddit
Yeah, because I'm on a laptop it could theoretically be stolen (unfortunate and unlikely to happen though), so if that were to happen I don't want anyone to get access to my data, or worse tamper with the OS to inject malware.
I have a separate password for my drive encryption and login password too. I've never actually looked at LUKS on the raspberry pi, you'd need to recreate the root partitions with LUKS and EXT4 inside and clone back all of the files though, then setup crypttab, etc
sashisemattahametsu@reddit
Yep, I use it on pretty much everything (home/work desktop, external drives, even USB sticks and SD cards etc.)
Because encryption is love, encryption is life.
Yellow_Tie@reddit
In my laptop yes, lvm + luks
vancha113@reddit
No, for the main reason that its an extra layer of complexity, and any added bit of complexity is another link in the chain. A chain is as strong as its weakest link.
I donÂŽt need it, so why would i enable it? No one gets to use my devices but me, I don't take my desktop anywhere so i wont assume it'll get stolen. As fFor my laptop, well, its an old piece of junk thinkpad from 2009, so kind of the same story.
If it'll get stolen, ever, well I guess then that would suck.
HankOfClanMardukas@reddit
No.
mrazster@reddit
No, because I'm not paranoid and, I'm freshout of tinnfoilhats.
Virtual_Search3467@reddit
No. Thereâs no reason to.
fde is useful only for devices that are shut down. Turn on, enter access credentials, itâs transparent and functionally useless. Turn device off and youâre safe if someone nabs the storage with or without pc in addition to it.
My Linux boxes are pretty much always on, so fde doesnât do anything.
in addition itâs making backups less reliable. Just a few bits being flipped means your entire backup is useless. Therefore, backups get stored decrypted and are secured in some other way.
itâs entirely possible to encrypt on the file level (no you cannot encrypt directories, these do not technically exist). But you can also set access permissions. Whether ACLs suffice or not is up for debate- Iâd say itâs something everyone has to decide on their ownâ personally Iâm happy enough removing the r flag and call it good.
out of scope of this thread is transport security- thatâs where things actually get interesting. Data at rest is interesting only off site.
disclaimer; Iâd at least sit down and think about what to do with cloud nodes that are hosted somewhere outside my control- as is usually the case. Of course you canât enter credentials on these when they come up.
Without putting too much thought into it⊠Iâd say maybe itâd be okay not to encrypt those either, assuming a strict separation of code and data and then go, whatâs the point of encrypting portage when everyone has access to it anyway. Anything else, like services that actually do host specific data, it should be safe to deploy keys at startup and then mount data volumes using these.
But Iâd still try to avoid the âglobalâ option and secure only the things that actually need to be secure.
EndlessProjectMaker@reddit
In your work/travel laptop certainly
Ultimate_Hope_@reddit
No, but it's because I'm lazy and didn't understand stuff very well when I started using Linux 2 years ago. I should probably look into it
sensitiveCube@reddit
Yes, no exceptions
ZamiGami@reddit
Nope
If someone breaks in long enough to take my drives I have bigger problems, and I don't have mobile devices beyond my deck, and I don't have any important stuff on it
necrophcodr@reddit
I don't. If I need encryption, I would rather add it on using a container file such as VeraCrypt or whatever is functional. At the filesystem level absolutely not. I used to, but now what matters more is being able to restore any data, and I've had enough of issues with slight corruption in encrypted volumes to ensure that my data be accessible.
If it'll get stolen, the systems will get wiped anyway.
SynapticMelody@reddit
Do you not practice basic backup and recovery procedures?
necrophcodr@reddit
Not ever hour, no. Restoring a backup is good for data that has existed for a while, but any important data that has only existed briefly, is lost without a data recovery strategy outside of backup restoration.
NordschleifeLover@reddit
Yes. Security.
Gasp0de@reddit
Yes, full disk encryption, enter password twice.
oneesan_with_van@reddit
Use legacy systems and mess up the system files often so not having disk encryption is a life saver for getting my files back from broken OS.
And before you ask, what the hell I do to get my system broken often? One word. Mint based distro so Kernel panic. Old nvidia Driver issues etc.
I don't use Disk encryption for my home computers but office laptop Hell yeah, it's nice and they enabled it by default. I have a personal laptop that I take with me on occasions and that's also encrypted. So Yes except for my Home PCs and a Laptop - turned into PC post battery issues lol. When was the last time you saw a LG laptop? No hope for a battery replacement.
roboticgolem@reddit
I'm overly paranoid about it and do encrypt everything. Just in case someone breaks in and steals everything.
I'm not sure how it works on a pi tho... but most installers I've seen ask during the install. I've been meaning to look into a solution that'll use a security key rather than a passphrase but right now I'm ok.
jeremyckahn@reddit
Yes, always. I treat data on unencrypted drives as public data (which is to say, I avoid it).
DudeWithaTwist@reddit
Yea. I setup PiKVM and when my server restarts, I manually enter the drive password. It just gives me another layer of security and its not inconvenient.
thephotoman@reddit
For all but disposable devices.
Like, I donât encrypt my SD cards on a Raspberry Pi I use for tinkering and not for any of my personal accounts. But thatâs because thereâs nothing of mine on them. The system is disposable. Iâm likely to re-image it in a month anyway. The same goes for disposable virtual machines.
But any primary device (server, desktop, laptop, phone), I do use FDE.
Reetpeteet@reddit
Your comprehension is still off, let's fix that. :)
Even on a system that has full-disk encryption, other users can still read each other's directories if they have permissions.
Full-disk encryption applies to the full disk. ;) Either the whole disk is open, or it's not.
What you want is encryption of (some of) your files. There's a number of ways of doing it.
But! If you're on a shared device and you setup the permissions and ownerships of files and users correctly, they will not be able to touch each other's files. Unless they have root access (like via "sudo").
sxdw@reddit
Or unless they boot from USB...
Reetpeteet@reddit
Yes, fair point. :)
meckez@reddit
I use zfs as my file system and encryption is one of the feature it provides.
It also makes regular snapshots and can be easily configured with syncoid to automatically backup my system to another device.
sinfaen@reddit
Is it possible to setup encryption in a way allowing for a remote reboot?
djao@reddit
Yes, LUKS+TPM.
Kruug@reddit
I do not.
The moment you login/power on the device, your entire disk is unlocked.
If you use directory-level or file-level encryption, files and directories are only unlocked when you need them, and then locked as soon as you close out the last handler.
You end up being more secure.
djao@reddit
That's a good argument for using directory/file level encryption, but it doesn't explain why you still don't use full disk encryption. You can use both, you know.
adamkex@reddit
I only encrypt my /home partition on my laptop. The threat model I face are thieves and not nation states or corporations so I don't see the need of encrypting anything else. This way I minimise performance loss.
UffTaTa123@reddit
Yeah, i use since 15years a small debian VM for my private but "official" stuff. Documents, tax-formulars, bank account stuff, like that. And i use a dedicated /home/ drive which i have encrypted, so i could carry it with me on a USB-stick whenever i went travelling, carrying my while office securly with me.
FrostyDiscipline7558@reddit
For desktops, I luks2 fde, then use home directory encryption for each user.
slickyeat@reddit
Always. LUKS + Veracrypt for the Windows partition.
natermer@reddit
I will only use disk encryption on laptops that I am likely to end up traveling with or have stuff from work.
Modern encryption doesn't degrade raw read/write bulk performance very much, but it does impact random reads and writes quite a bit.
I also don't leave sensitive information floating around my home directory either. No unencrypted password files, netrc files, AWS tokens randomly floating around, or anything like that.
rabbit_in_a_bun@reddit
No. All my work, .rcfiles .config etcetera is on github, and a VPN that needs both a phone and a hardware token to access work. It's a work laptop so as long as they don't force me, they can shove it.
shaakunthala@reddit
Yes, on the laptop I use as a server for Home Assistant.
No, on the RP4 which I'm using to host OctoPrint. (I mostly print free downloaded models)
Anything that hosts sensitive data such as local security camera footage will be encrypted and have batteries so that temporary power outages don't knock them offline.
Why?
I don't think burglars are dumb anymore.
bobcontrol@reddit
Yes, always when technically possible. If for nothing else, then at least only for the reason that if the storage goes faulty, you can toss it or send it to e-waste and not worry about what was there on it, and who is now able to read it.Â
Mister_Magister@reddit
yes.
because I can, and because why not? Fuck anyone trying to access data offline
pangapingus@reddit
Yes and Debian's Encrypted LVM setup on install is ezpz enough
deadbeef_enc0de@reddit
I have both full disk encryption and secure boot enabled on my desktop and laptop. Do I need to, probably not (laptop debatable), but it was a learning experience and good to know generally I think.
For a raspberry pi I don't know if I would do encryption on it because anything I would do with it probably didn't need to be encrypted. But if you are using it for personal stuff like a computer you should consider it
A good resource on Linux things in general is the Arch Linux wiki, it won't always work for your distribution (or hardware, day a raspberry pi) but it's a good starting place for information on his it works and how to set it up
r4t3d@reddit
Yes, because there is quite simply no reason not to, unless you use a CPU which doesn't support AES-NI or similar niche edge cases.
Everyone should encrypt by default imho.
xte2@reddit
Yes
Mostly for privacy in case of hw theft
On extremely low spech iron might be a bit of overhead, but I fails to see positive reasons not to encrypt...
zfs (root) encryption with encrypted swap zvol with NixOS, autologin thereafter.
Beautiful_Ad_4813@reddit
I ALWAYS use encryption
necheffa@reddit
FDE everywhere.
Its an insurance policy.
daemonpenguin@reddit
This is only true if your home directory has its permissions set improperly OR someone removes the disk from your computer and reads it. (Or uses a live disc.)
Basically, either your home directory permissions are wrong or someone has physical access to your computer with the ability to add/remove disks.
If your computer is in a relatively secure area and you have your home directory set up so only you can read it, then there isn't much point in using disk encryption. It just makes upgrading harder later.
For computers you travel with or are in insecure locations then encryption makes sense. Usually this is just a checkbox in the install process.
Alternatively, if you already set up your computer, you can use a file vault to save sensitive files without encrypting your whole disk.
JerryRiceOfOhio2@reddit
my desktop, no . my work laptop, full disk encryption because work policy says i have to. on most distros, it's just a checkbox on the install screen, so very easy
badboy3001_@reddit
I always opt for full-disk encryption when it comes to portable devices, particularly laptops. You can let the device's TPM chip handle decryption during boot, which keeps things both safe and smooth
Jak1977@reddit
Luks and dmcrypt. Arch has the best docs on the topic, whether you use arch or not.