This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
Also: back in the day, you could wipe a drive with GNU Shred or just “dd if=/dev/zero of=/dev/hda”. SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
From what I understand, some modern drives effectively encrypt everything at rest, but have the key on file internally so it decrypts transparently. This allows for a fast “wipe” where it just destroys the key instead of having to overwrite terabytes.
that presumes trust in the drive manufacturer and their firmware