I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
I don’t wanna risk losing anything on the drive thats important .
That is a good reason to backup, but has nothing to do with encryption.
I meant if I lose my encryption key I lose the data on the disk.
That is a good reason to backup, but has nothing to do with encryption.
(For real though I have a backup of all of my drive LUKS headers stored on several media types on and off site.)
How would backing up help with that, though, assuming the backups are also encrypted?
I meant if I lose my encryption key I lose the data on the disk.
If they lose the key they lose the data in the backups, too. So that concern is not a good reason to backup, in my eyes.
Then, if the backups are not encrypted, then doesn’t that undermine the value of encrypting your drive/user data partition in the first place?
Just backup the LUKs header files. No need to encrypt them as they’re inherently secure as the hard drives they would originally reside on.
That is a good reason to backup
This is true.
but has nothing to do with encryption.
I disagree with this. If you forget the password for decrypting your drive, then you will have lost “anything on the drive that’s important”. I know because it happened to me long ago, and so now I too have been wary of disk encryption ever since then.
Encryption and backup are orthogonal domains. If you don’t understand why, I’m sure you’re not going to take a random strangers’ opinion on the subject.
Mind expanding just a bit through? IMHO it’s not orthogonal in the sense that either your backups are :
- unencrypted and thus your is are safe (you have copies you can access despite losing your keys) but not secure (someone else can read the content too)
- encrypted and thus your data is NOT safe if you lose your keys but secure
Isn’t it?
I keep backups (regular, incremental, remote) to keep my data safe in case something happens to my local data. This protects me from things like theft, hardware failure, accidental deletion of some important files. Having multiple generations (daily, weekly, monthly) will protect me when I delete some files and only realize weeks later.
All of this is a separated issue to having encryption or not. I encrypt both local and backup copies, and store the keys in a password manager.
See what works for you, but don’t confuse the issues.
TBH even the way you phrased your question kind of proves it’s orthogonal. Yes, you can have the full matrix:
encrypted | backed up ----------|---------- no | no no | yes yes | no yes | yesIn each case, you have a different set of problems.
- Encrypting a particular medium only means that it’s going to be harder to gain access to the data on that medium (harder for everyone, but trillions of less harder for someone who knows the password.
- That’s regardless of whether you also have a backup.
- Backing up just means that a copy of the data exists somewhere else.
- That’s regardless of whether this or the other copy is encrypted.
Sure, eventually, the nature of your data’s safety will be affected by both.
Disclaimer: I’m by no means a security expert, don’t take what I write here as advice!
Eg. I encrypt my disks. When I do, I basically encrypt everything, ie. all partitions (except /boot). Then on those partitions, most of the data is not worth backing up since it’s either temporary or can be easily obtained anyway (system files). Well, some of the data is backed up, and some of that even ends up on disks that are not encrypted (scary, I know!) :)
To be fair, just encrypting the disks does not solve all. If someone broke to my house, they would with almost 100% chance find my computer on, which means that the disks are not encrypted (technically still are, just that LUKS provides unencrypted versions as well…) So the barrier they would have to face would be basically just the desktop lock.
For that reason I don’t encrypt hard drives on my remote server, since the server is always running in a virtual environment so by definition anyone who’s maintaining the hardware can already open files from the unencrypted drives, ie. I think it would be pointless.
- Encrypting a particular medium only means that it’s going to be harder to gain access to the data on that medium (harder for everyone, but trillions of less harder for someone who knows the password.
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: “mary beach rodeo” or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
Maybe I might try this, and am open to advice :)
mary beach rodeo
thank you for sharing your password 😜
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I’m going to be travelling.
One of my friends locked himself out of his PC and all his data because he forgot his master password, and I don’t want to do that myself lol
Exactly the same rationale as mine.
Depends on the use case. Definitely for my laptop though. In fact the decryption keys only exist in two places:
- Inside my TPM
- In a safe deposit box at a bank.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros’ repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
(Note: Anything I say could be B.S. I could be completely misunderstanding this.)
Clevis isn’t too difficult to set up - Arch Wiki documents the process really well. I’ve found it works better with dracut that mkinitcpio.
As for PCR registers (which I haven’t set up yet but should), what I can tell, it sets the hash of the boot partition and UEFI settings in the TPM PCR register so it can check for tampering on the unencrypted boot partition and refuse to give the decryption keys if it does. That way, someone can’t doctor your boot partition and say, put the keys on a flash drive - I think they’d have to totally lobotomize your machine’s hardware to do it, which only someone who has both stolen your device and has the means/budget to do that would do.
You do need to make sure these registers are updated every kernel update, or else you’ll have to manually enter the LUKS password the next boot and update it then. I’m wondering if there’s a hook I can set up where every time the boot partition is updated, it updates PCR registers.
My Laptop and Phone have encrypted drives, my Desktop doesn’t.
Yes because it is one click
If I delete my drive, it is rubbish
It doesnt impact my performance much
I used to, but it’s proven to be a pain more often than a blessing. I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I’m also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it’s game over anyway.
I am sorry but that is BS. Encryption is not easy to break like in some Movies.
If you are referring to that a bad actor breaks in and modifies your hardware with for example a keylogger/sniffer or something then that is something disk encryption does not really defend against.
That’s more what I mean. They won’t break the encryption, but at that point with physical access to my home/ computer/ servers, I have bigger problems.
There’s very little stored locally that could be worse than a situation where someone has physical access to my machine.
Because it requires generating, memorizing and entering a secure password. Because Linux typically doesn’t support fingerprint readers or other biometrics.
You can just store the key in your TPM and then you don’t have to memorize anything.
Is that near the TPS reports?
I don’t but admittedly I don’t do much stuff on my laptop that’s super secure. it’s mainly for gaming and the odd programming project.
I have no significant private data on my disks. They can be wiped whether encrypted or not if they’re stolen. And I like that in theory if my pc explodes I can recover the data with only the drive.
Yeah all my drives are encrypted with LUKS mostly because of home burglaries (bad area and whatnot). I still keep backups regardless on drives that are also encrypted
I encrypted my professional laptop’s drive in order to prevent access to company data and code in case of theft. And I’ll probably encrypt my personal laptop as well because the SSH key can access company code.
As for the desktop, I didn’t and probably never will, because theft is less likely and that would be a pain to handle for nightly backups (it is turned on with Wake-on-LAN and then a cron backs up my home directory to my NAS).
Finally, I won’t encrypt my NAS as well for the same reason: it would quickly become a hassle as I would have to manually decrypt the drives every time it boots after a power outage.
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
I do, laptops and workstations.
It’s just too easy not to, and there’s almost no downsides to it. (I only need to reboot, once a month or two.)
Well, unless you consider the possibility of forgetting the password a downside, so for that reason I keep the password in a password manager.
In case my laptop was stolen, there would quite a couple fewer things to worry about. Especially things like client’s data which could be under NDA’s, etc…
I used to, but then I nuked my install accidentally and I couldn’t recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I’ve resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
Your recovery problem was a backup issue not an encryption issue. Consider addressing the backup issue.
I have and I’ve concluded that I’m not made of money and therefore can’t afford to have multiple terabyte drives just lying around with redundant data just in case.
If I could afford it, then I wouldn’t have been resizing my ‘/’ partition to free up 80GB of space.
