I encrypt all my drives. Me and the people I know get occasionally raided by the police. Plus I guess also provides protection for nosy civilians who get their hands on my devices. Unlike most security measures, there is hardly any downside to encrypting your drives—a minor performance hit, not noticeable on modern hardware, and having to type in a password upon boot, which you normally have to do anyway.
this post was submitted on 16 Jan 2025
92 points (100.0% liked)
Linux
1261 readers
75 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
Where do you live that you’re getting raided by the police? This sounds like one of those situations where they might use the wrench technique.
load more comments
(1 replies)
I don't wanna risk losing anything on the drive thats important .
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
- what was the name of the first girl i kissed?
- where did i go to on summer camp?
- which special event happened there?
and the answer would be: "mary beach rodeo" or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
load more comments
(1 replies)
laptop yeah
desktop nah
Same here. My desktop is in a controlled environment, so I don't see a need. Plus, if I do have some sort of issue, I will still be able to access those files.
Since I actually take my laptop places, I have that encrypted for sure.
Only encrypt the home partition, for the root partition it just unnecessarily slows down the system.
Also, I think, there could be different approaches instead of encryption. AFAIK, android doesn't use encryption underneath, but uses a semi-closed bootloader (which means, if you install a different OS, all user data gets wiped). I'm currently investigating the feasibility of such an approach in the long term.
Android definitely has encrypion, but it is just the user data not the programs. It you ever run mount on an android device you will see that it has lots of different partitions for that sort of stuff
load more comments
(1 replies)
I don't even know how to do it
Tick a box when installing some distros. Like OoenSUSE.
Never got it when installing Ubuntu. Any way of enabling it after install?
I dont believe it is possible to do after install
i'd really like to. but there is ONE big problem:
Keyboard layouts.
seriously
I hate having to deal with that. when I set up my laptop with ubuntu, I tried at least 3 thymes to make it work, but no matter what I tried I was just locked out of my brand-new system. it cant just be y and z being flipped, I tried that, maybe it was the french keyboard layout (which is absolutely fucked) or something else, but it just wouldnt work.
On my mint PC I have a similar problem with the default layout having weird extra keys and I just sort of work around that, because fuck dealing with terminals again. (when logged in it works, because I can manually change it to the right one.)
Now I do have about a TerraByte of storage encrypted, just for the... more sensitive stuff...
While dealing with the problems I stumbled across a story of a user who had to recover their data using muscle-memory, a broken keyboard, the same model of keyboard and probably a lot of patience. good luck to that guy.
I used to, but then I nuked my install accidentally and I couldn't recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I've resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
Your recovery problem was a backup issue not an encryption issue. Consider addressing the backup issue.
load more comments
(1 replies)
Of course, I'm paranoid and don't trust the US government. Or any government really. "First they came for _____" and all that; Id rather just tell them to pound sand immediately instead of get caught with my pants down.
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasn’t overly concerned about tax documents/passwords etc being left as I’d use dd to write over the platters prior to recycling.
This is the primary reason for me as well. Drive disposal. Also since we only get electronic statements, want to encrypt those.
load more comments
(2 replies)
I encrypt my laptop and desktops and I think it’s worth it. I regret encrypting my servers because they need passwords to turn on.
Yeah all my drives are encrypted with LUKS mostly because of home burglaries (bad area and whatnot). I still keep backups regardless on drives that are also encrypted
I don't for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.
Give her and your personal representatives the keys or access to the keys. Problem solved.
Same problem as you passwords and password manager.
load more comments
(2 replies)
I was recently intrigued to learn that only half of the respondents to a survey said that they used NO disk encryption.
Is the other half alright?
I always encrypt my computer SSD as well as my external backup drive. I just wish that when installing a Linux distro and when selecting encryption that it would work with multiple drives
Yeah, on my laptop - because I travel with it and confidential data (like from my customers) could land in hands its not supposed to
No, in case of my desktop, because it's easier to access it in case of failure
My thinking is similar. I've seen this news story more than once:
laptop stolen containing customer data... hard drive was not encrypted
I don't generally have customer data, but it can happen every once in a while.
Yes, and for the life of me I don't understand why there isn't a default LUKS with hibernate partition in the Debian installer.
Yes. I encrypt because theft. I know PopOS and Mint make it 1-click ez. ...unless of course you want home and root on a separate drives. That scales difficulty real fast. There's plenty of tutorials, and I managed, but I had to patch together different ones to get a basic setup-- Never mind understanding exactly what I did and repeating it (the latest challenge I've been dragging my feet on). I do hope this is an area that sees more development in the near future.
No. I prefer the quickest way to share my data between different computers and operating systems on my home network. I will also mention that my network is not accessible over the internet.
Speaking as someone who doesn't encrypt their desktop but is thinking about it:
you can't share (readable) data over one's home network if the sending PC is disk-encrypted?
For example, are you saying that if I send a video file from my PC, which is disk-encrypted, over LAN to my NAS, then the NAS would not be able to read said file?
Disk encryption does not impact file sharing over the network.
Sure if you sharing by a USB portable drive you have to unlock and lock it every time you use it. That is separate thing though.
The bigger issues of encryption are one should have a good backup and recovery plan both for media and for the keys. One has to consider legacy planning too. How do your personal representatives access.
load more comments
(1 replies)
load more comments
(1 replies)
I encrypt my laptop and desktops and I think it’s worth it. I regret encrypting my servers because they need passwords to turn on. I couldn’t figure out how to handle it when away.
Do your servers have TPM? Clevis might be the way to go; I use it on my Thinkpad and it makes my life easy. If the servers don’t have TPM, Clevis also supports this weird thing called Tang, which from what I can tell basically assures that the servers can only be automatically decrypted on your local network. If Clevis fails, you can have it fall back to letting you enter the LVM password.
I have not tried any of those three things: TPM, Clevis, or Tang. Thanks for recommending.
I tried to setup a keyfile on /, /boot, and /root.
I tried a keyfile on a usb
I also tried to use dropbear to allow ssh unlock.
Sadly these didn’t work and drove me crazy for two nights.
Cryptab should help.
I tried it. Wonder if I was doing something dumb…
Did you get it working, if your boot is encrypted (I think) then I think you may have a hard time. Its been about 7 years since I did it. But you can have fstab and crypttab setup to pass the password.
That’s what I was trying to do. I think I encrypted everything as it was my second plain Linux server, not unraid or truenas. I didn’t get it working
load more comments
(1 replies)
I have stopped encrypting my drives, because if anything goes wrong and the system won't boot it makes recovery more difficult. It's a dual boot machine with Windows 11, and I had a lot of awkwardness with Bitlocker that led to me deciding to abandon encryption in both OSs. I save sensitive files to encrypted volumes in VeraCrypt.
load more comments
(3 replies)
I encrypted my professional laptop's drive in order to prevent access to company data and code in case of theft. And I'll probably encrypt my personal laptop as well because the SSH key can access company code.
As for the desktop, I didn't and probably never will, because theft is less likely and that would be a pain to handle for nightly backups (it is turned on with Wake-on-LAN and then a cron backs up my home directory to my NAS).
Finally, I won't encrypt my NAS as well for the same reason: it would quickly become a hassle as I would have to manually decrypt the drives every time it boots after a power outage.
No need as none of them are networked
Yes because it is one click
If I delete my drive, it is rubbish
It doesnt impact my performance much
Doesn't Pop have that by default? I think others have too.
Anyway, yes for basically everything. Except my servers main partition, because otherwise recovering from crashes would be horribly annoying or unsafe if I'd use cryptssh. And if the dns+dhcp/gateway/VPN server crashes I'd definitely need 22 open.
Mostly I don't, but I want to start to. I only have one laptop encrypted and of course I keep my phones encrypted.
I don't do it for my desktop because 1) I highly doubt my desktop would get stolen. 2) I installed Linux before I was aware of encryption, and don't have any desire to do a reinstall on my desktop at this time.
For my laptop, yes, I do (with exception of the boot partition), since it would be trivial to steal and this is a more recent install. I use clevis to auto-unlock the drive by getting keys from the TPM. I need to better protect myself against evil maids, though - luckily according to the Arch Wiki Clevis supports PCR registers.
I encrypt my home folder and Windows install just in case someone breaks into my house and steals my computer. Super annoying entering my password each boot though.
I don’t have FDE (BitLocker) enabled on my Windows 11 gaming PC. It sits in my house and has nothing on it but video games and video game related shit. I don’t even have my password manager installed for logging in to Steam, GoG or whatever other launcher. I manually type passwords in from the vault on my phone if the app doesn’t support QR code login like discord. Also I paid for this ridiculous m.2 nvme drive, I’m not going to just give up iops bc i want my game install files encrypted.
I don’t use FDE on my NAS. Again it doesn’t leave my house. I probably should I guess, bc there is some stuff on there that would cause me to have industry certs revoked if they leaked, but idk I don’t. Everything irreplaceable is backed up off site, but the down time it would take to rebuild my pirated media libraries from scratch vs just swapping disks and rebuilding has me leery.
I have FDE enabled on both my MacBooks. They leave the house with me, it seems to make sense.
I don’t use FDE on Linux VMs I create on the MacBooks, the disk is already encrypted.
My iphone doesn’t have the option to not use FDE I don’t think.
I use encrypted rsync backups to store NAS stuff in the cloud. I use a PGP key on my yubikey to further encrypt specific files on my MacBooks as required beyond the general FDE.
Because it requires generating, memorizing and entering a secure password. Because Linux typically doesn't support fingerprint readers or other biometrics.