I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
I don’t encrypt because it’s too much effort to learn about it.
Id rather keep my filesystem unencrypted so that I can easily recover from problems and encrypt important files as needed, but let’s be real I don’t do that either.
Depends on the use case. Definitely for my laptop though. In fact the decryption keys only exist in two places:
- Inside my TPM
- In a safe deposit box at a bank.
Yep. Everything except my server, which needs to be able to boot without my help. Because why not? I rarely ever reboot anything, so it doesn’t really hurt, and if anyone steals my shit they won’t get my wife’s noods.
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I’m going to be travelling.
Exactly the same rationale as mine.
I do encrypt my drives, and it’s not as transparent in Linux as it is in the others. I’m sure I could get a TPM setup for seamless boots, but I haven’t done that yet.
For mobile drivers, I still encrypt, but that locks them to one OS since LUKS isn’t cross platform. There is VeraCrypt for cross-platform encryption, but that’s one more thing to manage and install.
I do on all my devices that can as a matter of practice, not for any real threat. I’m interested to learn about how to set it up and use it on a daily basis including how to do system recoveries. I guess it’s largely academic.
Once I switched to linux as my daily driver, I didn’t have a need to do piracy anymore since all the software I need is FOSS.
No, I don’t encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don’t have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
Most mobile/laptop devices should be encrypted by default. They are too prone to loss or theft. Even that isn’t sufficient with border crossings where you are probably better off wiping them or leaving them behind.
My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.
I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptiom for my circumstances. Encrypting Linux packages and steam libraries doesn’t offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk. It adds overhead.and another point of failure for no real benefit.
Yes. I have sensitive info in my PC (work credentials) and in the case of a break-in, last thing I want is to jeopardize my job.
I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.
If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.
They don’t need to guess the password. If you don’t have full disk encryption I can just run another is in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file
oh no, if they changed the password and I got it back somehow, I could finally have an excuse to try out mint.
Asahi Linux doesn’t support encryption and getting it to work requires a lot of steps and that I reinstall it which I don’t have time for, so I don’t have it enabled on my laptop, and if it gets stolen or confiscated I’m fucked.
I have it enabled on my server and phone.
@sudoer777 @monovergent , create an encrypted container? It’s a little tedious, but fairly distro agnostic.
Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.
I don’t encrypt my entire drive, but I do have encrypted directories for my sensitive data. If I did encrypt an entire drive, it would only be the drive containing my data not the system drive.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros’ repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
My issue is that I can never remember “a couple more commands” for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.
My drives are not encrypted because it’s a hassle if things start going wrong. My NAS is software raid so the individual disks mean nothing anyway. The only drive that is encrypted is my backup disk and I’m not really sure if it was needed.
