I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I’ve encountered include the option to encrypt, it is not selected by default.
Whether it’s a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won’t end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that’s just me and I’m curious to hear what other reasons to encrypt or not to encrypt are out there.
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
I encrypt all my drives. Me and the people I know get occasionally raided by the police. Plus I guess also provides protection for nosy civilians who get their hands on my devices. Unlike most security measures, there is hardly any downside to encrypting your drives—a minor performance hit, not noticeable on modern hardware, and having to type in a password upon boot, which you normally have to do anyway.
Where do you live that you’re getting raided by the police? This sounds like one of those situations where they might use the wrench technique.
I don’t want to say where I live for anonymity reasons, but I will note that it’s fairly standard for political dissidents to be raided by any government so it doesn’t actually particularly narrow down my location.
What’s the wrench technique?
Ah lol sure. It depends on what level of state repression you’re looking at. Regular cops will just not bother trying to decrypt a drive if they don’t have the password and you don’t freely give it up (you have the right to refuse to provide a password here, it’s under the same kind of principle as having the right to not incriminate yourself), but I’m sure military intelligence etc will go to the wrench technique. Also deniable encryption for anything particularly sensitive is good for the old wrench technique.
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasn’t overly concerned about tax documents/passwords etc being left as I’d use dd to write over the platters prior to recycling.
You got me curious. Passwords yeah, but tax documents? Why?
This was a few drives ago but there was a point in time when most places were giving me digital copies of tax documents which I could upload to tax prep software but things like TurboTax didn’t have an auto import. So you’d need to download them then re-upload them to the correct service. Now they do it automatically so the only thing that would match that now now is receipts for expenses/donations and what not that I need to keep track of for manual entry.
I don’t for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.
If that’s the only reason, it’s not a great one. You could solve it by storing the password with your important documents.
I don’t think I encrypt my drives and the main reason is it’s usually not a one-click process. I’m also not sure of the benefits from a personal perspective. If the government gets my drives I assume they’ll crack it in no time. If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway. So I’m assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
Edit: Thanks for the counter points. I’ll look into activating encryption on my machines if they don’t already have it.
is it’s usually not a one-click process
It is, these days. Ubuntu and Fedora, for example. But you still have to select it or it won’t happen. PopOS, being explicitly designed for laptops, has it by default.
If the government gets my drives I assume they’ll crack it in no time.
Depends on your passphrase. If you follow best practice and go with, say, a 25-character passphrase made up of obscure dictionary words, then no, even a state will not be cracking it quickly at all.
If a hacker gets into my PC or a virus I’m assuming it will run while the drive is in an unencrypted state anyway.
Exactly. This is the weak link of disk encryption. You usually need to turn off the machine, i.e. lose the key from memory, in order to get the full benefits. A couple of consolations: (1) In an emergency, you at least have the option of locking it down; just turn it off - even a hard shutdown will do. (2) As you say, only a sophisticated attacker, like the police, will have the skills to break open your screenlocked machine while avoiding any shutdown or reboot.
Another, less obvious, reason for encrypting: it means you can sell the drive, or laptop, without having to wipe it. Encrypted data is inaccessible, by definition.
Encryption of personal data should be the default everywhere. Period.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it’s just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You’re an idiot, go back to macOS you fucking normie
(/s, I’m also waiting for TPM encryption + user home encryption)
No. I break my system occasionally and then it’s a hassle.
This is one of those moments where “skill issue” fully applies 😁
Keep learning, friend, I’ve been there and Linux is a journey
No.
I spend a significant amount of time on other things, e.g. NOT using BigTech, no Facebook, Insta, Google, etc where I would “volunteer” private information for a discount. I do lock the physical door of my house (most of the time, not always) and have a password … but if somebody is eager and skilled enough to break in my home to get my disks, honestly they “deserve” the content.
It’s a bit like if somebody where to break in and stole my stuff at home, my gadgets or jewelry. Of course I do not welcome it, nor help with it hence the lock on the front door or closed windows, but at some point I also don’t have cameras, alarms, etc. Honestly I don’t think I have enough stuff worth risking breaking in for, both physical and digital. The “stuff” I mostly cherish is relationship with people, skills I learned, arguably stuff I built through those skills … but even that can be built again. So in truth I don’t care much.
I’d argue security is always a compromise, a trade of between convenience and access. Once you have few things in place, e.g. password, 2nd step auth, physical token e.g. YubiKeyBio, the rest becomes marginally “safer” for significant more hassle.
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
laptop yeah
desktop nah
Yeah me too. It goes back to your threat level. How likely is it that someone is going to break into my home to steal my desktop all James Bond-like? The answer is, “not very.” Anything mobile has a significantly higher probability of falling into the wrong hands. These things are encrypted. Even the very old laptop that never leaves my house is encrypted because it could.
Same here. My desktop is in a controlled environment, so I don’t see a need. Plus, if I do have some sort of issue, I will still be able to access those files.
Since I actually take my laptop places, I have that encrypted for sure.
I don’t https://xkcd.com/538/
I’m convinced the chances of me losing access to the data are higher than encryption protecting it from a bad actor.
Let’s be real, full disk encryption won’t protect a running system and if someone has physical access and really wants it, encryption won’t protect you from the $5 wrench either.
I do encrypt my phone data though, as someone running away with my phone is more realistic.
Who’s gonna come at me with a $5 wrench because they really want my data, though? The attack I’m most likely to experience is someone stealing my laptop while I’m out traveling. That’s what full filesystem encryption solves best.
Or per XKCD, where are they finding a wrench for $5??
Here’s one for less than 4 USD. I imagine 150 mm in length would be sufficient.
Wow that’s cheap!
Watch out crypt nerds!
Edit: crypto, not crypt! Leaving it 🧟♀️
It’s much worse: They can re-use the same wrench.
(Disgusting, I know… 😝 )
It should be encrypted by default because most people don’t take care to dispose of their machines responsibly. I picked up a few machines destined for ewaste and the hard drives were full of tax returns.
Possibly overestimating the value of the data entrusted to me, but whenever I see that xkcd, I like to think that I at least have the option to remain silent and die with dignity if I really don’t want the contents of my disk out there.
If I remember correctly, some USA agency said torture is ineffective because you will talk, you like it or not. When you are asking someone for a thing they don’t know they will say a lie just to stop the pain. So I guess anyone will give their password with enough time
Well that took a turn
Looks like I’ll be reading more of this!
It’s great. And it just started updating again after almost 5 years of hiatus!
The humour is so dry I need to take it with a cup of tea or two. I love it.
Bro you browse that outside of a private window?
I’m not worried about getting raided by the KGB or anything like that, but break-ins happen and my computer equipment would be a prime target for theft.
I occasionally cycle my backup drives off-site, so I want those encrypted as well.
The cost of encryption is very close to zero, so I don’t even entertain the question of whether I should encrypt or not. I just encrypt by default.
Honestly… Why bother? If someone gains remote access to my system, an encrypted disk won’t help. It’s just a physical access preventer afaik, and I think the risk of that being necessary is very low. Encrypted my work computer because we had to and that environment also made it make more sense, I technically had sensitive customer info on it, though I worked at Oracle so of course they had to make it as convoluted and shitty as possible.
Absolutely. LUKS full disk encryption. Comes as an opt-in checkbox on Ubuntu, for example.
And I too cannot understand why this is not opt-out rather than opt-in. Apparently we’ve decided that only normies on corporate spyware OSs need security, and we don’t.
Because when shit breaks nobody wants to hear that their data is gone forever
And yet somehow on mobile, where most personal computing is now done, this is not a problem.
Because most of that data is synced to the cloud, icloud or Google photos.
Yep. Unfortunately that’s where we are.
There is a major downside to encryption: If you forget your password or your tpm fails and you’ve not backed things up, then that data is gone forever. If someone doesn’t have anything incriminating or useful to theives on their device, the easier reparability might justify not enabling it.
Why is this a problem for us and not for ordinary dummies on Android? It’s been the default there for years already.
Phones make the encryption invisible to the user.
That’s not the case on Linux unless you’re willing to put in a bit of work to set up TPM unlocking yourself or use one of the few distros that use TPM by default, like Aeon.
And even then Aeon’s not perfect. Sooner or later the TPM will fail and you’ll have to enter your long backup password and reenroll the TPM.
Yep. But typing in a password at boot is no big deal and you do then get some of the benefits of encryption. The problem, as you seem to be hinting, is the lockscreen issue. A screenlocked OS without the hardware encryption module is not actually locked down whereas Android, for instance, is. Is that right? I’ve wanted to ask how Android does this - basically, it loses the key and then regenerates it based on biometrics or whatever, each time you unlock, is that it?
Android has storage encryption by default?
Why do I only need to enter 1 password?
Why would you need to enter 2?
Well, usually you don’t need to enter any password.
I’m referring to a password to unlock the screen.
That’s because you’re probably using biometrics instead.
How would I know? I don’t have to use biometrics when I restart the phone.
