This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
Setting up full-disk encryption on a Steam Deck with an on-screen keyboard should definitely be an option during SteamOS installation, but it’s a pain as it stands. It’s my only Linux device not using LUKS.
Pointless for gaming devices, nothing to hide on them, there will also be a small overhead for nothing.
Correct, nothing to hide because nobody gets their games from the high seas.
Dang, if those agencies ever see my Civilization 4 save games, I’ll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
Seems a lot of distros put it under an advanced section in the installer, but I think the “advanced” option should be not enabling full-disk encryption, meaning you know what you’re doing and have assessed the risk.
Ideally, yes. The problem is that the non-advanced users then get prompted for their encryption key and then it’s “What are you talking about, I never set that up, what do you mean you can’t recover the photos of my grandkids!”
Set up full backups you can reliably recover with before doing this.
With Luks there are several situations you can end up in where you can’t just pop your disk out and pull files from it, removing a first response to many common hardware failures.
and prevents alphabet agencies from just brute forcing into your Laptop or whatever
Inserting relevant XKCD as is required by internet law: https://xkcd.com/538/
idk man, but I’d still much rather have encryption, even if I’m up against the alphabet boys:
- They’ll be up a creek if I escape, die, or vanish into the woods first
- If I hid a disk somewhere, I’d rather know they found it when they come to torture me, than have it inspected without hearing a word
- If all else fails, they’ll at least have to expend a modicum of effort and resources to fight me
You know you’re fucked if they use a wrench. That means you don’t have to be seen publicly ever again. There’s a chance for you if they’re using a rubber hose…
Not much good if they only have your laptop and not you.
Removed by mod
Encrypting your drives is a very sensible step to take, and it’s so low effort that it’s a no brainer in most cases. It’ll stop casual thieves stealing you machine and reading your files, and combining your password with a TPM encrypted one will mean your data isn’t readable on any machine except yours, even if the attacker has your password, which adds a little extra protection.
Unfortunately, none of that protects you against an adversary who is willing to kidnap and torture you to get your files. At that point you have to make a choice, which is more important; your files or your life/not being tortured. Fortunately, most people will never be in that situation, so should encrypt their drives and accept they’ll reveal their encryption passphrase if taken hostage/arrested.
A more common case I’ve heard of is law enforcement using face id without permission. They can also compel people to give up passwords too which is why duress passwords and panic buttons exist to wipe everything
You want to think very carefully before giving a duress password, or using a destructive panic button when dealing with law enforcement. If you do, you will be charged with, at least, destruction of evidence. You have to decide if your data is worth that. A duress password that only decrypts part of your data is probably safer if twinned with deniable encryption, although you still risk legal trouble.
This is in the US, in a lot of countries, even in EU ones, refusing to reveal your password is used as part of the case against you (not as proof but as a suspicious attitude that can, combined with other facts, bring a certainty of culpability).
So be careful and check out your local laws before following US laws concerning this.
Yeah thanks pal. It helps you from someone who doesn’t know your password. You all give the most extreme examples. That example applies to biometrics, normal passwords without encryption, bank pins, etc. What was the point of saying it? What technology would help you from that
I was actually largely agreeing with you, but responding to the bit where you said:
It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
It’ll stop alphabet agencies from brute forcing it, sure, but that’s not how they would approach extracting the information.
I see ~
you’ve~ the mod has deleted this comment thread though, so it’s unlikely anyone else will see it.As to your question about what technology would stop it, I think you may need to think differently as no technology will stop a determined enough opponent torturing you for a password, but they’re much more likely to attempt a malware style attack against you to skip all that bother. So countermeasures would involve a well locked down system (think about things like SELinux with MLS enabled and using VMs to isolate processes) and good information hygiene practices to reduce the risk of infection and the risk of it spreading if you are infected.
the thread is visible here, just a single comment was deleted
I know this. Was never confused about it. You just came out of no where telling me. I don’t delete comments, look at how many people try to debate me, those comments are still up and still stupid lol. Also luckily the FBI or CIA or whatever demon inspired agency won’t just torture you as an everyday citizen doesn’t matter what they want on your top. If it was that bad the USA would be JUST like North Korea. Here they have some rules still they are just burning them away as the years go by.
I edited my comment, it was the mod who deleted your comment.
I don’t see many people debating you, but I do see a number of comments, including my own, that are pointing out things that need to be considered, or expanding on what you’d said. I don’t see much that could be called ‘stupid’, but you seem to be carrying a lot of pent up frustration and anger. You’ll probably find you have much more productiv£ and pleasant exchanges if you dump that on other people though.
One need only read or watch the news to know that a disturbingly large number of people are being abducted, predominantly under the umbrealla of ICE, but also for political reasons. It seems likely that if an agency has interest in the data of someone like that, presure of various sorts will be brought to bear on them. Most people will hand over their passwords long before the threat of physical violence is manifested, but the threat is there none-the-less. As you say, this won’t apply to most everyday citizens, for now at least.
Ultimately, it’s a case of setting up your security posture to match your own threat models. Encryption is an excellent step, but only addresses some threats, online attacks being the most obvious set that it does not help with.
Here is the guide for Fedora: https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
Also: back in the day, you could wipe a drive with GNU Shred or just “dd if=/dev/zero of=/dev/hda”. SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
From what I understand, some modern drives effectively encrypt everything at rest, but have the key on file internally so it decrypts transparently. This allows for a fast “wipe” where it just destroys the key instead of having to overwrite terabytes.
that presumes trust in the drive manufacturer and their firmware
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
Limine does not have decryption, that’s just the linux kernel.
how is the state of TPM unlocking atm? i don’t do it because i use my computer remotely, and having to locally unlock it would break the setup. on my laptop sure, always encrypted.
You can have your machine unencrypt using the TPM module, have a look at clevis for example. Once you’ve got it set up you can pretty much forget it’s there.
Pretty much all beginner friendly distros have this thing (Fedora Debian Ubuntu Mint). You just have to enable it. Also make sure if you are using secure boot - remove Microsoft keys and generate your own. Also its nice to have bios password setup too.
Watch out about removing Microsoft’s keys! Some video drivers (nvidia) will only work with Microsoft’s keys and you might brick your system. Only remove Microsoft’s keys if you know what you’re doing.
It’s easy-- if you install on a single drive. If you want home on a separate drive, encryption is not so easy, and you have to learn about cryptsetup, crypttab, etc. Quite a steep learning curve compared to the installer. I do hope distros provide better coverage of this in the future. Having home on a separate drive and encrypted is just good practice.
I did not know this about secure boot, I always just disabled it.
I’ve been doing that since like was first introduced as a separate library already. I don’t know better than that all my files are encrypted since well over a decade, probably almost two
Also: encrypt everything you upload to the cloud with Cryptomator or something like that. I amazes me I used to put stuff directly in my pCloud folder.
Cryptomator is good but it’s important also to keep backups of the unencrypted content of the Cryptomator vault that are not encrypted by Cryptomator. (You could encrypt the backups with another system.) Cryptomator vaults are more fragile than the underlying file system, and it’s easier for a glitch in the sync process to corrupt them so they’re unrecoverable. I have lost data due to this in the past. So it’s best to make sure all the contents of your vaults also exist somewhere else, encrypted in another way.
I used borg for my backups, but why do you say Cryptomator vaults are fragile?
Because he experienced data loss, as he says?
It’s not that they’re especially fragile. It’s really only when you combine them with a sync process. I once had a sync go wrong and it resulted in the contents of a vault being unreadable. Because all you have are a bunch of encrypted files with meaningless names and a flattish structure, which Cryptomator interprets and mounts as a different directory structure, when something goes wrong it’s not easy to know where in the vault files the problem lies. You can’t say “ah, I’m missing the documents folder so I’ll restore that one from backup” like you could with an unencrypted directory. And if you’ve made changes since the last vault backup you can’t just restore the whole vault either. You could mount a backup of the vault from a time when it was intact, and then copy files across into your live copy, but I feel safer having a copy in another format somewhere else. Not necessary, I guess, but it can make recovery easier.
Ok, I understand. In my particular use case that shouldn’t be an issue. My Cryptomator folder is local and I use it only locally. Then there’s a sync process to copy stuff to pCloud automatically, but that copy is never touched directly by my.
But in any case as you said, backups.
easy to use gui backup utilities (like pika and déjà dup) can also encrypt its backups
Facts. I put everything on cloud (mega only) compressed with AES-256
compressed with AES-256
I guess you mean encrypted.
No I meant compressed, it comes with the encryption.
AES-256 is just an encryption algorithm, it doesn’t do any compression on it’s own, so it’s not quite right to say its compressed with it. Really it was compressed, then afterwards encrypted with AES-256.
Sigh. I said i compress with AES-256. I compress my files with the compression that encrypts it. Just as the screenshot shows. (Compression+AES-256) I’m the OP of this post. Give me more credit. I know they are two different things. I think you just didn’t get what I was trying to say
I said i compress with AES-256
To avoid confusion you could say, “along with”, or fully say, “I encrypt with AES-256 as I compress, in one step”.
It’s not necessarily about what you know, but about what readers will understand. (For example, someone who doesn’t know better might read what you wrote and think there is some way to compress using AES-256 and go down a rabbit hole.)
I understood what you meant, I was just pointing out that what you said was incorrect. Even in your reply you said
I compress my files with the compression that encrypts it.
Which is still not entirely correct. The compression is not doing any encrypting. They are two separate processes that the tool you are using is presenting as a single step for convenience. You seem to know what you are talking about, and I happen to know about cryptography, but as someone else in the thread mentioned not everyone knows how these things work. If we are trying to spread knowledge and tips in this community (like your post is doing) then I just saw this as an opportunity to clarify something that was incorrect. Not for your benefit, but for others.
The same issue applies to Windows 10. I think the TPM (and a BIOS password) is supposed to address this for Windows 11 but I presume you could flush the NVRAM and access the files anyway. I don’t know what exact safeguards there are.
Either way, I am far more trustful of passwords I enter myself. Such as wafersGeezAfterCraze.
TPM uses parts of your system like hardware configuration, bios version, can even use parts of the OS, to generate a hashcode to decrypt your drive, so if anything gets replaced it wont automatically decrypt. what this allows is to have a much more complex decryption key and allows you to rely on OS security and much simpler passwords to protect your data because your OS (which cannot be replaced without breaking TPM) will protect against brute force attacks with retry delays and limits.
I think I know how this works with rEFInd, but I haven’t done it because… my drive is a dual-boot so… yeah, unless I get a laptop and install only Linux in 2030 maybe I’ll do it by then… But by then, I might need the extra security anyway.
You can still encrypt it with LUKS while dual booting in the year 2025.
fair, I JUST researched it, but, I only have that drive, where my data is, sooo if I mess up, woops, there goes my system.
I guess I’ll do it if I setup my next computer…?
What about data safety, backups etc.? If someone has access to my PC, that is already pretty catastrophic.
They can’t access your files, they just have your computer. They could delete your files by wiping your drive but they don’t have your files, ensuring your privacy
Good question. Along the same lines, if your disk is encrypted and you make a simple backup (say using cp) is the backup encrypted and if so, how do you restore from that?
if your system uses full disk encryption (such as via LUKS) and you simply copy files off to an external or a secondary drive for a ‘backup’, no. the copy is not encrypted unless the destination has encryption set up on it, too.
the alternative would be using a backup program, instead of a simply file copy, that encrypts its backups.
It depends how the backup is encrypted. Most backup solutions will give you an encryption key, or a password to a key, that you have to keep safely and securely somewhere else. If you have an online password manager or a Keepass database in cloud storage, that would be a reasonable place to keep the key. Or on a USB stick (preferably more than one because they can fail) or a piece of paper which you mustn’t lose.
the backup wouldn’t be encrypted but you can use luks to encrypt the backup drive too, the same way as you’d do with a drive in your computer.
i use rsync to send off my /home to an encrypted backup drive and restoring it you just reverse the source and destination and copy the stuff back.
dmcrypt for backup drives. Ideally with detached encryption header, stored separately.
