this post was submitted on 16 Jan 2025

153 points (98.7% liked)

Linux

49051 readers

1340 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

153

Do you encrypt your drives and why or why not? (lemmy.ml)

submitted 1 day ago by monovergent@lemmy.ml to c/linux@lemmy.ml

210 comments fedilink hide all child comments

I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I've encountered include the option to encrypt, it is not selected by default.

Whether it's a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won't end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.

But that's just me and I'm curious to hear what other reasons to encrypt or not to encrypt are out there.

top 50 comments

sorted by: hot top controversial new old

[–] shirro@aussie.zone 1 points 7 minutes ago

I think most mobile/laptop devices should be encrypted by default though even that isn't sufficient with border crossings where you are better off wiping them IMO. They are too prone to loss or theft.

My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.

I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptuom for my circumstances. Encrypting Linux packages and steam libraries doesn't offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk.

[–] notarobot@lemm.ee 1 points 1 hour ago

Yes. I have sensitive info in my PC (work credentials) and in the case of a break-in, last thing I want is to jeopardize my job.

[–] sudoer777@lemmy.ml 2 points 3 hours ago* (last edited 3 hours ago) (1 children)

Asahi Linux doesn't support encryption and getting it to work requires a lot of steps and that I reinstall it which I don't have time for, so I don't have it enabled on my laptop, and if it gets stolen or confiscated I'm fucked.

I have it enabled on my server and phone.

[–] soundconjurer@4bear.com 2 points 3 hours ago* (last edited 3 hours ago)

@sudoer777 @monovergent , create an encrypted container? It's a little tedious, but fairly distro agnostic.

Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.

https://null-byte.wonderhowto.com/how-to/hide-sensitive-files-encrypted-containers-your-linux-system-0186691/

[–] bier@lemmy.blahaj.zone 1 points 3 hours ago

I made the mistake of not setting up encryption on my main 45TB zfs pool so I'm currently backing up everything on there to tape so I can recreate the pool (also need to change from mirrored to raidz) and then copying everything back to the drives. Although writing and reading each are around 6 days continuesly. Didn't want to bite the bullet and pay more then I absolutely had to and only got a LTO-4 drive and tapes.

[–] flork@lemy.lol 4 points 6 hours ago (1 children)

I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .

But seriously it's just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.

[–] isVeryLoud@lemmy.ca 3 points 5 hours ago (1 children)

You're an idiot, go back to macOS you fucking normie

(/s, I'm also waiting for TPM encryption + user home encryption)

[–] data1701d@startrek.website 1 points 4 hours ago

Clevis pretty much does TPM encryption and is in most distros' repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.

You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.

[–] endeavor@sopuli.xyz 0 points 3 hours ago (1 children)

I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.

If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.

[–] AnnaFrankfurter@lemmy.ml 3 points 2 hours ago (1 children)

They don't need to guess the password. If you don't have full disk encryption I can just run another is in live mode and mount your drive and read everything. And even change the password to your fedora, by changing the hash in shadow file

[–] endeavor@sopuli.xyz 1 points 1 hour ago

oh no, if they changed the password and I got it back somehow, I could finally have an excuse to try out mint.

[–] bjwest@lemmy.ml 1 points 6 hours ago (1 children)

I don't encrypt my entire drive, but I do have encrypted directories for my sensitive data. If I did encrypt an entire drive, it would only be the drive containing my data not the system drive.

[–] renzev@lemmy.world 1 points 11 minutes ago

but I do have encrypted directories for my sensitive data

What do you use for encrypted directories? Ecryptfs?

[–] pixeltree@lemmy.blahaj.zone 7 points 9 hours ago (2 children)

Honestly... Why bother? If someone gains remote access to my system, an encrypted disk won't help. It's just a physical access preventer afaik, and I think the risk of that being necessary is very low. Encrypted my work computer because we had to and that environment also made it make more sense, I technically had sensitive customer info on it, though I worked at Oracle so of course they had to make it as convoluted and shitty as possible.

[–] kixik@lemmy.ml 1 points 1 hour ago (1 children)

Can you explain why if someone get access to your encrypted disk, they would have access to its contents?

[–] pixeltree@lemmy.blahaj.zone 1 points 1 hour ago

If someone can execute arbitrary code on my computer, it doesn't matter that the disk is encrypted, because I've already booted the machine up and entered the key. I'm certainly not the most cryptographically knowledge but using LUKS on Oracle Linux, I'd enter the key once while starting up, past that point there was no difference between an encrypted and unencrypted system. It seems logical to me, then, that if something can execute arbitrary code, it's after that point, so encryption won't matter to it. Encryption is more of a solution to someone physically obtaining your hard drive and preventing them from having access to the contents simply by plugging it into their system.

Or at least that's my understanding, please correct me if I'm mistaken.

[–] data1701d@startrek.website 2 points 4 hours ago (1 children)

You're somewhat right in the sense that the point of disk encryption is not to protect from remote attackers. However, physical access is a bigger problem in some cases (mostly laptops). I don't do it on my desktop because I neither want to reinstall nor do I think someone who randomly breaks in is going to put in the effort to lug it away to their vehicle.

[–] pixeltree@lemmy.blahaj.zone 1 points 34 minutes ago

Certainly didn't mean to say it's never useful, just not useful for me

[–] InFerNo@lemmy.ml 3 points 8 hours ago

My drives are not encrypted because it's a hassle if things start going wrong. My NAS is software raid so the individual disks mean nothing anyway. The only drive that is encrypted is my backup disk and I'm not really sure if it was needed.

[–] merthyr1831@lemmy.ml 2 points 8 hours ago

I don't but admittedly I don't do much stuff on my laptop that's super secure. it's mainly for gaming and the odd programming project.

[–] KrispeeIguana@lemmy.ml 1 points 8 hours ago

My issue is that I can never remember "a couple more commands" for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.

[–] utopiah@lemmy.ml 16 points 17 hours ago* (last edited 17 hours ago) (1 children)

No.

I spend a significant amount of time on other things, e.g. NOT using BigTech, no Facebook, Insta, Google, etc where I would "volunteer" private information for a discount. I do lock the physical door of my house (most of the time, not always) and have a password ... but if somebody is eager and skilled enough to break in my home to get my disks, honestly they "deserve" the content.

It's a bit like if somebody where to break in and stole my stuff at home, my gadgets or jewelry. Of course I do not welcome it, nor help with it hence the lock on the front door or closed windows, but at some point I also don't have cameras, alarms, etc. Honestly I don't think I have enough stuff worth risking breaking in for, both physical and digital. The "stuff" I mostly cherish is relationship with people, skills I learned, arguably stuff I built through those skills ... but even that can be built again. So in truth I don't care much.

I'd argue security is always a compromise, a trade of between convenience and access. Once you have few things in place, e.g. password, 2nd step auth, physical token e.g. YubiKeyBio, the rest becomes marginally "safer" for significant more hassle.

load more comments (1 replies)

load more comments