This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
Pretty much all beginner friendly distros have this thing (Fedora Debian Ubuntu Mint). You just have to enable it. Also make sure if you are using secure boot - remove Microsoft keys and generate your own. Also its nice to have bios password setup too.
Watch out about removing Microsoft’s keys! Some video drivers (nvidia) will only work with Microsoft’s keys and you might brick your system. Only remove Microsoft’s keys if you know what you’re doing.
I did not know this about secure boot, I always just disabled it.
It’s easy-- if you install on a single drive. If you want home on a separate drive, encryption is not so easy, and you have to learn about cryptsetup, crypttab, etc. Quite a steep learning curve compared to the installer. I do hope distros provide better coverage of this in the future. Having home on a separate drive and encrypted is just good practice.