This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
I like to keep a key on a USB so the computer boots either with a ridiculously strong backup password or a key on a USB drive. I like tiny little USB drives. So, if you find yourself in an airport or wherever and you just “lose” the USB then the device is automatically locked down.
I built a small set of scripts to decrypt when the initrd starts and can load from a file in the initrd (from separate volume), EFI, or various combinations of passphrase in GRUB. The main intent isn’t to keep out somebody with physical access to the machine and sufficient time but rather makes it a lot easier to make the data unrecoverable when the drive is disposed of.
It took me several attempts to get this right, but it’s a game changer.
Yep, I made sooooo many notes and tried a bunch of different options. In the end I was able to get it working well with Grub,l and Arch.
Last time I had LUKS setup on my main laptop, there was a surprizingly sharp hit in performance.
I’m glad I have the option, but is it really the most appropriate thing for me to use right now? It just doesn’t make sense to talk about security and privacy without a clear threat model first.
Sigh. It doesn’t impact performance. That had a had a higher chance of being the type of partition you created. Also, in the PRIVACY group are you really confused about why you want privacy?
The type of partition I created was Debian’s default settings at the time.
This is where the threat modeling comes in. The laptop in question is not currently likely to be physically searched - nor does it contain any data that is likely to put me at any risk if it is searched, and the more prudent things I can be doing to protect my privacy have more to do with getting away from Android/Play Store, and being less dependent on other surveillance-capitalism services like YouTube, Google Maps, etc.
I will likely use LUKS again in the future, but there are broader overhauls I need to make to my digital life first.
Look you don’t need to be searched or expecting a search. If someone steals your laptop you are covered SIGNIFICANTLY more if it’s encrypted which gives you privacy because they wouldn’t be able to see your data. Doesn’t matter if it’s a risk to you. It’s for the privacy. It’s the mindset not just the random act
Currently I have fragments of my data stored on at least half a dozen devices that I’ve accumulated over the years. My digital life is as messy as my adhd brain. I plan on setting up a NAS at some point, and will likely both consolidate all my data there and use LUKS. But until then encrypting one drive is the least of my problems.
Although anti-theft tech in my laptop might be kind of neat.
What kind of CPU is in that laptop? The vast majority of x86 CPUs from the past 10 years include hardware acceleration for AES encryption so that the performance hit is negligible.
It’s a Thinkpad P51 with a Xeon chip of some sort. Yeah I don’t know what happened there, only that switching to fedora without full disk encryption has resulted in much greater performance, like a difference between being able to do some gaming or not. So many variable changed there that I don’t even know if the crypto had anything to do with it.
arch linux was what forced me to use LUKS on all of my installs regardless of distros, btw.
i used the standard layout:/boot, /, /home, swap. So when the installs break, the best way to fix is to use the archiso and remount and re arch-chroot.
Well… i found out that without LUKS, anybody can use any distros live cd and mount my stuff.
At first, I used LUKs only on the main partitions: so / and /home, or just / if no separate /home. Swap remains unencrypted. Boot is also unencrypted.
You could encrypt those too but need more work and hackery stuff:
-
encrypted boot: can be slow if you boot the compututer from cold. There’s also this thing where you need to enter the password twice => think Fedora has an article to get around this. Iirc, it involves storing the boot’s encrypted password as a key deep within the root directory.
-
encrypted swap: the tricky thing is to use this with hibernation. I managed to get it to work once but with Zram stuff, I dont use hibernation anymore. It involved writing the correct arguments in the /boot/grub/grub.cfg. Basically tells the bootloader to hibernate and resume from hibernation with the correct UUID.
-
Encfs + pam mount home.
/tmp and var/run in tmpfs
No swap.
Dang, if those agencies ever see my Civilization 4 save games, I’ll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
I found it better to just encrypt one folder with all my sensitive info (I use gocryptfs). i saw no reason to have my zshrc and init.lua encrypted 🙂 and I just encrypt data I don’t want in the hands of others…
Browsing history, Downloads folder, cache, etc. That’s good to have encrypted.
ur def right about this. there are a few other things (e. g. cached mail etc) that would be good to encrypt, which I don’t do right now.
if my computer gets stolen I figure no one will bother with my data unless they stand to immediately gain financially. e.g. ransom. my data (I have backups) or access my bank info (I keep this encrypted) and steal my identity. so I protect against this as best as I can without sacrificing usability too much
Just encrypt your home then.
Don’t forget /tmp, and maybe logs too. Theres docker storage and kvm image locations if you use that. Maybe others. FDE also makes an evil maid attack much less trivial too.
I don’t know, I don’t see a lot of damage or unpleasantness stemming from someone getting into my /tmp, but I don’t want any llm being fed contents of my /home. I am less afraid of an attack, as I am irked by corpos putting fingers into my shit
You act like encrypting the whole drive makes it take more power or something
so the issue with whole drive encryption is that all the data is decrypted 100% of the time I’m using the device. even when I sleep the device …
with one folder, I ensure it’s unmounted and encrypted before my computer sleeps.
But when your Computer is on and the drive is mounted, its also decrypted and available? What’s the attack vector here? Someone coming into my house yoinking my computer while its asleep without interrupting the power?
I have seen the use of such a device by gov’t agencies; basically a large UPS that clips onto the AC plug’s prongs so that a running server or desktop PC can be confiscated without power being interrupted.
this sounds cool. if my desktop is plugged into the wall, how would they unplug it to plug it into their device without my computer losing power momentarily?
It splices into the live power cord and supplies the same voltage in parallel. When the connection is verified good, the PC is powered from battery and can be unplugged from the wall.
jeez. so strip the live wire. splice in UPS. then switch over. sounds hard (and dangerous)
So just don’t put your Computer to sleep, but turn of off when you leave it?
usually I sleep my laptop and take it with me. with full disk encryption, if my bag gets stolen my files are all decrypted if the attacker gets past the lock screen.
getting past a lock screen is much easier than breaking encryption ofc
more importantly my desktop is online 24/7 with a static IP. if I get hacked they get all my data (bank passwords etc). but with the one folder encryption, if I get hacked they get my zshrc and init.lua 🙂
So the solution is to not put the laptop asleep but turning it off.
lol no. i currently reboot once every two weeks and find it a chore. (it’s my one complaint about arch as the kernel updates are so frequent). I’m def not going to waste time reopening all my windows and tabs every time I open my computer just to keep my zshrc encrypted. i realized long ago that security and usability are inversely related, and I picked the middle ground that suits me
Pretty much all beginner friendly distros have this thing (Fedora Debian Ubuntu Mint). You just have to enable it. Also make sure if you are using secure boot - remove Microsoft keys and generate your own. Also its nice to have bios password setup too.
It’s easy-- if you install on a single drive. If you want home on a separate drive, encryption is not so easy, and you have to learn about cryptsetup, crypttab, etc. Quite a steep learning curve compared to the installer. I do hope distros provide better coverage of this in the future. Having home on a separate drive and encrypted is just good practice.
Also: back in the day, you could wipe a drive with GNU Shred or just “dd if=/dev/zero of=/dev/hda”. SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
Limine does not have decryption, that’s just the linux kernel.
Also: encrypt everything you upload to the cloud with Cryptomator or something like that. I amazes me I used to put stuff directly in my pCloud folder.
Cryptomator is good but it’s important also to keep backups of the unencrypted content of the Cryptomator vault that are not encrypted by Cryptomator. (You could encrypt the backups with another system.) Cryptomator vaults are more fragile than the underlying file system, and it’s easier for a glitch in the sync process to corrupt them so they’re unrecoverable. I have lost data due to this in the past. So it’s best to make sure all the contents of your vaults also exist somewhere else, encrypted in another way.
I used borg for my backups, but why do you say Cryptomator vaults are fragile?
It’s not that they’re especially fragile. It’s really only when you combine them with a sync process. I once had a sync go wrong and it resulted in the contents of a vault being unreadable. Because all you have are a bunch of encrypted files with meaningless names and a flattish structure, which Cryptomator interprets and mounts as a different directory structure, when something goes wrong it’s not easy to know where in the vault files the problem lies. You can’t say “ah, I’m missing the documents folder so I’ll restore that one from backup” like you could with an unencrypted directory. And if you’ve made changes since the last vault backup you can’t just restore the whole vault either. You could mount a backup of the vault from a time when it was intact, and then copy files across into your live copy, but I feel safer having a copy in another format somewhere else. Not necessary, I guess, but it can make recovery easier.
Ok, I understand. In my particular use case that shouldn’t be an issue. My Cryptomator folder is local and I use it only locally. Then there’s a sync process to copy stuff to pCloud automatically, but that copy is never touched directly by my.
But in any case as you said, backups.
Because he experienced data loss, as he says?
Facts. I put everything on cloud (mega only) compressed with AES-256
compressed with AES-256
I guess you mean encrypted.
No I meant compressed, it comes with the encryption.
AES-256 is just an encryption algorithm, it doesn’t do any compression on it’s own, so it’s not quite right to say its compressed with it. Really it was compressed, then afterwards encrypted with AES-256.
Sigh. I said i compress with AES-256. I compress my files with the compression that encrypts it. Just as the screenshot shows. (Compression+AES-256) I’m the OP of this post. Give me more credit. I know they are two different things. I think you just didn’t get what I was trying to say
I said i compress with AES-256
To avoid confusion you could say, “along with”, or fully say, “I encrypt with AES-256 as I compress, in one step”.
It’s not necessarily about what you know, but about what readers will understand. (For example, someone who doesn’t know better might read what you wrote and think there is some way to compress using AES-256 and go down a rabbit hole.)
I understood what you meant, I was just pointing out that what you said was incorrect. Even in your reply you said
I compress my files with the compression that encrypts it.
Which is still not entirely correct. The compression is not doing any encrypting. They are two separate processes that the tool you are using is presenting as a single step for convenience. You seem to know what you are talking about, and I happen to know about cryptography, but as someone else in the thread mentioned not everyone knows how these things work. If we are trying to spread knowledge and tips in this community (like your post is doing) then I just saw this as an opportunity to clarify something that was incorrect. Not for your benefit, but for others.
What about data safety, backups etc.? If someone has access to my PC, that is already pretty catastrophic.
They can’t access your files, they just have your computer. They could delete your files by wiping your drive but they don’t have your files, ensuring your privacy
Good question. Along the same lines, if your disk is encrypted and you make a simple backup (say using cp) is the backup encrypted and if so, how do you restore from that?
It depends how the backup is encrypted. Most backup solutions will give you an encryption key, or a password to a key, that you have to keep safely and securely somewhere else. If you have an online password manager or a Keepass database in cloud storage, that would be a reasonable place to keep the key. Or on a USB stick (preferably more than one because they can fail) or a piece of paper which you mustn’t lose.
the backup wouldn’t be encrypted but you can use luks to encrypt the backup drive too, the same way as you’d do with a drive in your computer.
i use rsync to send off my /home to an encrypted backup drive and restoring it you just reverse the source and destination and copy the stuff back.
dmcrypt for backup drives. Ideally with detached encryption header, stored separately.
I wanna encrypt my BTRFS system, but not the FAT32 boot part. Only the Linux kernels are on FAT32 anyway, and I don’t care about encrypting those — they’re public stuff, not private files. I just let limine-entry-tool hash them to make sure they’re clean for booting, that’s totally fine for me.
I don’t like putting kernels on the Linux filesystem for GRUB — it just makes booting slower and causes random issues.
how is the state of TPM unlocking atm? i don’t do it because i use my computer remotely, and having to locally unlock it would break the setup. on my laptop sure, always encrypted.
I’ve been doing that since like was first introduced as a separate library already. I don’t know better than that all my files are encrypted since well over a decade, probably almost two
Yeah but then you need to type in two passwords. A little annoying
