I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
I used to, but it’s proven to be a pain more often than a blessing. I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I am sorry but that is BS. Encryption is not easy to break like in some Movies.
If you are referring to that a bad actor breaks in and modifies your hardware with for example a keylogger/sniffer or something then that is something disk encryption does not really defend against.
That’s more what I mean. They won’t break the encryption, but at that point with physical access to my home/ computer/ servers, I have bigger problems.
There’s very little stored locally that could be worse than a situation where someone has physical access to my machine.
Its that simple.
I can expand my own creativity and store every thought and creative Art, without anybody being able to find out after my death or while someone raids me.
Maybe I stored an opinion against some president, and maybe the government changed its working, which allows police to raid someone for little suspection.
You never know if you ever have something to hide. While things are okay now and today, it might be highly illegal tomorrow.
Those are ideas. But generally its only about the feeling of privacy.
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasn’t overly concerned about tax documents/passwords etc being left as I’d use dd to write over the platters prior to recycling.
This is the primary reason for me as well. Drive disposal. Also since we only get electronic statements, want to encrypt those.
You got me curious. Passwords yeah, but tax documents? Why?
This was a few drives ago but there was a point in time when most places were giving me digital copies of tax documents which I could upload to tax prep software but things like TurboTax didn’t have an auto import. So you’d need to download them then re-upload them to the correct service. Now they do it automatically so the only thing that would match that now now is receipts for expenses/donations and what not that I need to keep track of for manual entry.
I don’t have FDE (BitLocker) enabled on my Windows 11 gaming PC. It sits in my house and has nothing on it but video games and video game related shit. I don’t even have my password manager installed for logging in to Steam, GoG or whatever other launcher. I manually type passwords in from the vault on my phone if the app doesn’t support QR code login like discord. Also I paid for this ridiculous m.2 nvme drive, I’m not going to just give up iops bc i want my game install files encrypted.
I don’t use FDE on my NAS. Again it doesn’t leave my house. I probably should I guess, bc there is some stuff on there that would cause me to have industry certs revoked if they leaked, but idk I don’t. Everything irreplaceable is backed up off site, but the down time it would take to rebuild my pirated media libraries from scratch vs just swapping disks and rebuilding has me leery.
I have FDE enabled on both my MacBooks. They leave the house with me, it seems to make sense.
I don’t use FDE on Linux VMs I create on the MacBooks, the disk is already encrypted.
My iphone doesn’t have the option to not use FDE I don’t think.
I use encrypted rsync backups to store NAS stuff in the cloud. I use a PGP key on my yubikey to further encrypt specific files on my MacBooks as required beyond the general FDE.
i’d really like to. but there is ONE big problem:
Keyboard layouts.
seriously
I hate having to deal with that. when I set up my laptop with ubuntu, I tried at least 3 thymes to make it work, but no matter what I tried I was just locked out of my brand-new system. it cant just be y and z being flipped, I tried that, maybe it was the french keyboard layout (which is absolutely fucked) or something else, but it just wouldnt work.
On my mint PC I have a similar problem with the default layout having weird extra keys and I just sort of work around that, because fuck dealing with terminals again. (when logged in it works, because I can manually change it to the right one.)
Now I do have about a TerraByte of storage encrypted, just for the… more sensitive stuff…
While dealing with the problems I stumbled across a story of a user who had to recover their data using muscle-memory, a broken keyboard, the same model of keyboard and probably a lot of patience. good luck to that guy.
Have you tried peppermint or maybe coriander?
Jokes aside, I believe the password entry stage is before any sort of localization happens, meaning what your keyboard looks like doesn’t matter and the input language defaults to English. You have to type as if you’re using an English keyboard. That’s hardly a good solution if you’re unfamiliar with that layout of course.
Initrd has support to configure the keyboard layout used. Consult your initrd generator’s documentation for this
Yes, and for the life of me I don’t understand why there isn’t a default LUKS with hibernate partition in the Debian installer.
It’s one of those things where it depends on the computer. My old box that’s running win 7 has nothing but music and backed up media files on it, isn’t connected to the internet at all, and there’s really no point to it being encrypted.
My laptop leaves the house, and is connected, so it gets the treatment. My general purpose PC is, though that was more just because of a random choice rather than a carefully chosen decision. I figured I’d try it for a few weeks, then nuke it if it was a problem. It hasn’t been, and I haven’t needed to do anything to it that would require a change.
The other people in the house have chosen not to.
I’m not certain I would encrypt my main desktop again, just because it’s one more thing to do, and I’m getting lazy lol. I don’t have any sensitive files at all, and if things in the world get so bad that some agency is after me, I’m going to be hiding out up in this holler I know, not worrying about leaving a computer behind. Won’t be power anyway, and the only shit they’d find is some pirated files.
I’d be more worried about my phone and my main tablet than any of the PCs, and those would either go with me, or get melted down before I left. Thermite is cheap and easy.
Yes. I encrypt because theft. I know PopOS and Mint make it 1-click ez. …unless of course you want home and root on a separate drives. That scales difficulty real fast. There’s plenty of tutorials, and I managed, but I had to patch together different ones to get a basic setup-- Never mind understanding exactly what I did and repeating it (the latest challenge I’ve been dragging my feet on). I do hope this is an area that sees more development in the near future.
That does make encryption was less appealing to me. On one of my machines / and /home are on different drives and parts of ~ are on yet another one.
I consider the ability to mount file systems in random folders or to replace directories with symlinks at will to be absolutely core features of unixoid systems. If the current encryption toolset can’t easily facilitate that then it’s not quite RTM for my use case.
laptop yeah
desktop nah
Same here. My desktop is in a controlled environment, so I don’t see a need. Plus, if I do have some sort of issue, I will still be able to access those files.
Since I actually take my laptop places, I have that encrypted for sure.
Yeah me too. It goes back to your threat level. How likely is it that someone is going to break into my home to steal my desktop all James Bond-like? The answer is, “not very.” Anything mobile has a significantly higher probability of falling into the wrong hands. These things are encrypted. Even the very old laptop that never leaves my house is encrypted because it could.
I don’t do it for my desktop because 1) I highly doubt my desktop would get stolen. 2) I installed Linux before I was aware of encryption, and don’t have any desire to do a reinstall on my desktop at this time.
For my laptop, yes, I do (with exception of the boot partition), since it would be trivial to steal and this is a more recent install. I use clevis to auto-unlock the drive by getting keys from the TPM. I need to better protect myself against evil maids, though - luckily according to the Arch Wiki Clevis supports PCR registers.
Because it requires generating, memorizing and entering a secure password. Because Linux typically doesn’t support fingerprint readers or other biometrics.
You can just store the key in your TPM and then you don’t have to memorize anything.
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
I used to, but then I nuked my install accidentally and I couldn’t recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I’ve resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
Your recovery problem was a backup issue not an encryption issue. Consider addressing the backup issue.
I have and I’ve concluded that I’m not made of money and therefore can’t afford to have multiple terabyte drives just lying around with redundant data just in case.
If I could afford it, then I wouldn’t have been resizing my ‘/’ partition to free up 80GB of space.
I encrypt everything that leaves my house since it could be easily lost or stolen, but it is rather inconvenient.
If someone breaks into my house, I’ve got bigger problems than someone getting their hands on my media collection. I think it would be more likely for me to mess something up and loose access to my data than for someone to steal it.
Of course, I’m paranoid and don’t trust the US government. Or any government really. “First they came for _____” and all that; Id rather just tell them to pound sand immediately instead of get caught with my pants down.
