I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
Of course, I’m paranoid and don’t trust the US government. Or any government really. “First they came for _____” and all that; Id rather just tell them to pound sand immediately instead of get caught with my pants down.
deleted by creator
deleted by creator
They don’t need to guess the password. If you don’t have full disk encryption I can just run another is in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file
deleted by creator
Yes absolutely, it is the building block of my security posture. I encrypt because I don’t want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. I’m politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
yes. if you live in a country without democracy. it is the only way to protect yourself and your data from nsa agent kicking your door.
I encrypt my home folder and Windows install just in case someone breaks into my house and steals my computer. Super annoying entering my password each boot though.
I don’t, I didn’t do it back then and I ended up using this system for much longer than I thought I would(4+ years). I want to do it next time but I don’t feel like reinstalling just for that.
Good news, you can use cryptsetup to do it in place! https://unix.stackexchange.com/questions/444931/is-there-a-way-to-encrypt-disk-without-formatting-it
I would strongly encourage people to encrypt their on site data storage drives even if they never leave the house and theft isn’t a realistic thing that can happen.
The issue is hard drive malfunction. If a drive has sensitive data on it and malfunctions. It becomes very hard to destroy that data.
If that malfunctioning hard drive was encrypted you can simply toss it into an e-waste bin worry free. If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
If your drive starts malfunctioning, then without encryption you might be able to read some sectors and recover a few things. With encryption you are SOL.
If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
If by heavy tools, you mean a screwdriver and an angle grinder, then yeah, but it’s not that hard in reality.
1 torx screwdriver 1 hammer
not the hardest thing to scratch up the platters and then fold them into abstract art
I don’t bother to take out the screws. I just drill handful of holes trough the whole thing. Or if you’re really paranoid a MAP torch is enough to melt the whole thing (don’t breath the smoke).
True. This does work. But it is less secure and much harder than just tossing an encrypted HDD into an e-waste bin. It probably is more fun though. 🤔
Great point.
I provided reasons why I encrypted my drives but this one is even better.
(Another one could be if you need to get your computer to a repair shop, and for some reason you can’t just remove the drive.)
I just encrypt devices that leave the house. I do have access to a hard drive crusher if I lose a drive (recently crushed a tablet that wouldn’t power on)
My Laptop and Phone have encrypted drives, my Desktop doesn’t.
I encrypt everything that leaves my house since it could be easily lost or stolen, but it is rather inconvenient.
If someone breaks into my house, I’ve got bigger problems than someone getting their hands on my media collection. I think it would be more likely for me to mess something up and loose access to my data than for someone to steal it.
I don’t wanna risk losing anything on the drive thats important .
That is a good reason to backup, but has nothing to do with encryption.
That is a good reason to backup
This is true.
but has nothing to do with encryption.
I disagree with this. If you forget the password for decrypting your drive, then you will have lost “anything on the drive that’s important”. I know because it happened to me long ago, and so now I too have been wary of disk encryption ever since then.
Encryption and backup are orthogonal domains. If you don’t understand why, I’m sure you’re not going to take a random strangers’ opinion on the subject.
Mind expanding just a bit through? IMHO it’s not orthogonal in the sense that either your backups are :
- unencrypted and thus your is are safe (you have copies you can access despite losing your keys) but not secure (someone else can read the content too)
- encrypted and thus your data is NOT safe if you lose your keys but secure
Isn’t it?
I meant if I lose my encryption key I lose the data on the disk.
That is a good reason to backup, but has nothing to do with encryption.
(For real though I have a backup of all of my drive LUKS headers stored on several media types on and off site.)
How would backing up help with that, though, assuming the backups are also encrypted?
I meant if I lose my encryption key I lose the data on the disk.
If they lose the key they lose the data in the backups, too. So that concern is not a good reason to backup, in my eyes.
Then, if the backups are not encrypted, then doesn’t that undermine the value of encrypting your drive/user data partition in the first place?
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: “mary beach rodeo” or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
mary beach rodeo
thank you for sharing your password 😜
Maybe I might try this, and am open to advice :)
Every endpoint device I use is using full disk encryption, yes.
I was recently intrigued to learn that only half of the respondents to a survey said that they used NO disk encryption.
Is the other half alright?
Yes.
If my computers are stolen or lost with the luggage, or if I suddenly die (as one sometime does), I don’t want whoever goes through my computers to get hold of my ex-girlfriends nudes, my credentials for online banking or my porn habits.
I don’t think I encrypt my drives and the main reason is it’s usually not a one-click process. I’m also not sure of the benefits from a personal perspective. If the government gets my drives I assume they’ll crack it in no time. If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway. So I’m assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
is it’s usually not a one-click process
It is, these days. Ubuntu and Fedora, for example. But you still have to select it or it won’t happen. PopOS, being explicitly designed for laptops, has it by default.
If the government gets my drives I assume they’ll crack it in no time.
Depends on your passphrase. If you follow best practice and go with, say, a 25-character passphrase made up of obscure dictionary words, then no, even a state will not be cracking it quickly at all.
If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway.
Exactly. This is the weak link of disk encryption. You usually need to turn off the machine, i.e. lose the key from memory, in order to get the full benefits. A couple of consolations: (1) In an emergency, you at least have the option of locking it down; just turn it off - even a hard shutdown will do. (2) As you say, only a sophisticated attacker, like the police, will have the skills to break open your screenlocked machine while avoiding any shutdown or reboot.
Another, less obvious, reason for encrypting: it means you can sell the drive, or laptop, without having to wipe it. Encrypted data is inaccessible, by definition.
Encryption of personal data should be the default everywhere. Period.
Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.
GNOME disks is a nice GUI that lets you setup disks with ease. Encryption can be easily setup with it.
A big benefit of encryption is that if your stuff is stolen, it adds a lot of time for you to change passwords and invalidate any signed in accounts, email credentials, login sessions, etc.
This is true even if a sophisticated person steals the computer. If you leave it wide open then they can go right in and copy your cookies, logins, and passwords way faster. But if it’s encrypted, they need to plug your drive into their system and try to crack your stuff, which takes decent time to set up. And the cracking itself, even if it takes only hours, would be even more time you can use to secure your online accounts.
On Linux, my installs always had a checkbox plus a password form for the encryption.
I think this is true for computers that are in danger of being stolen. Laptops or PCs in dorms or other shared living spaces. But I live in a relatively secure area, burglaries are very rare and my PC never leaves the building. So the benefits of encryption are pretty much negligible.
What are the downsides to encryption? Though you may have negligible benefits, if there are also negligible downsides then the more secure option should be chosen.
- The LUKS encryption can get corrupted
- The password may be forgotten
- harddrives can be corrupted, too. That’s where backups come in
- True, though one could use a security key or password manager to overcome that, or setup secure boot/TPM to where a password isn’t actually needed. If all else fails, again, backups.
So when the laptop dies, the disk cannot be read anywhere because the tpm is lost?
Correct, the hard disk in the laptop can not be read. This is where having a good backup strategy is important. Similar to how if your hard disk dies you’re no longer able to access the material on the hard disk. For me, the downsides of encryption do not outweigh the benefits of having my data secure.
I enabled full disk encryption during OS installation, set up a secure passphrase, and then set up automated encrypted backups to my home server, which are automatically backed up to a remote server.
I gain peace of mind in knowing that if my laptop is stolen I’m only out the cost of the laptop, the data within is still safe and secure.
It is a one click process if you use user friendly distros
Absolutely. LUKS full disk encryption. Comes as an opt-in checkbox on Ubuntu, for example.
And I too cannot understand why this is not opt-out rather than opt-in. Apparently we’ve decided that only normies on corporate spyware OSs need security, and we don’t.
Because when shit breaks nobody wants to hear that their data is gone forever
People, listen to Juvenile and “back that thang up!” That man understand the importance of data redundancy.
And yet somehow on mobile, where most personal computing is now done, this is not a problem.
Because most of that data is synced to the cloud, icloud or Google photos.
Really? It’s not because users don’t have to remember another password?
Yep. Unfortunately that’s where we are.
There is a major downside to encryption: If you forget your password or your tpm fails and you’ve not backed things up, then that data is gone forever. If someone doesn’t have anything incriminating or useful to theives on their device, the easier reparability might justify not enabling it.
Why is this a problem for us and not for ordinary dummies on Android? It’s been the default there for years already.
Phones make the encryption invisible to the user.
That’s not the case on Linux unless you’re willing to put in a bit of work to set up TPM unlocking yourself or use one of the few distros that use TPM by default, like Aeon.
And even then Aeon’s not perfect. Sooner or later the TPM will fail and you’ll have to enter your long backup password and reenroll the TPM.
Yep. But typing in a password at boot is no big deal and you do then get some of the benefits of encryption. The problem, as you seem to be hinting, is the lockscreen issue. A screenlocked OS without the hardware encryption module is not actually locked down whereas Android, for instance, is. Is that right? I’ve wanted to ask how Android does this - basically, it loses the key and then regenerates it based on biometrics or whatever, each time you unlock, is that it?
Android backs up data to the cloud. If the phone breaks or gets stolen, you don’t need to recover data from it - you can just pull it from Google’s servers.
In addition, people tend to not treat their phones as “permanent storage”. The concept of losing or breaking their phone is probably more clear, so they make sure to back it up in some way to the cloud or their desktop.
Also, it’s much more likely for a phone to be stolen than a laptop or desktop.
Android has storage encryption by default?
Why do I only need to enter 1 password?
Why would you need to enter 2?
Well, usually you don’t need to enter any password.
I’m referring to a password to unlock the screen.
That’s because you’re probably using biometrics instead.
How would I know? I don’t have to use biometrics when I restart the phone.
