Do you encrypt your drives and why or why not?
Do you encrypt your drives and why or why not?
I was recently intrigued to learn that only half of the respondents to a survey said that they used disk encryption. Android, iOS, macOS, and Windows have been increasingly using encryption by default. On the other hand, while most Linux installers I've encountered include the option to encrypt, it is not selected by default.
Whether it's a test bench, beater laptop, NAS, or daily driver, I encrypt for peace of mind. Whatever I end up doing on my machines, I can be pretty confident my data won't end up in the wrong hands if the drive is stolen or lost and can be erased by simply overwriting the LUKS header. Recovering from an unbootable state or copying files out from an encrypted boot drive only takes a couple more commands compared to an unencrypted setup.
But that's just me and I'm curious to hear what other reasons to encrypt or not to encrypt are out there.
No, I don't encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don't have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
Most mobile/laptop devices should be encrypted by default. They are too prone to loss or theft. Even that isn't sufficient with border crossings where you are probably better off wiping them or leaving them behind.
My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.
I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptiom for my circumstances. Encrypting Linux packages and steam libraries doesn't offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk. It adds overhead.and another point of failure for no real benefit.
Yes. I have sensitive info in my PC (work credentials) and in the case of a break-in, last thing I want is to jeopardize my job.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it's just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
I made the mistake of not setting up encryption on my main 45TB zfs pool so I'm currently backing up everything on there to tape so I can recreate the pool (also need to change from mirrored to raidz) and then copying everything back to the drives. Although writing and reading each are around 6 days continuesly. Didn't want to bite the bullet and pay more then I absolutely had to and only got a LTO-4 drive and tapes.
Honestly... Why bother? If someone gains remote access to my system, an encrypted disk won't help. It's just a physical access preventer afaik, and I think the risk of that being necessary is very low. Encrypted my work computer because we had to and that environment also made it make more sense, I technically had sensitive customer info on it, though I worked at Oracle so of course they had to make it as convoluted and shitty as possible.
My drives are not encrypted because it's a hassle if things start going wrong. My NAS is software raid so the individual disks mean nothing anyway. The only drive that is encrypted is my backup disk and I'm not really sure if it was needed.
No.
I spend a significant amount of time on other things, e.g. NOT using BigTech, no Facebook, Insta, Google, etc where I would "volunteer" private information for a discount. I do lock the physical door of my house (most of the time, not always) and have a password ... but if somebody is eager and skilled enough to break in my home to get my disks, honestly they "deserve" the content.
It's a bit like if somebody where to break in and stole my stuff at home, my gadgets or jewelry. Of course I do not welcome it, nor help with it hence the lock on the front door or closed windows, but at some point I also don't have cameras, alarms, etc. Honestly I don't think I have enough stuff worth risking breaking in for, both physical and digital. The "stuff" I mostly cherish is relationship with people, skills I learned, arguably stuff I built through those skills ... but even that can be built again. So in truth I don't care much.
I'd argue security is always a compromise, a trade of between convenience and access. Once you have few things in place, e.g. password, 2nd step auth, physical token e.g. YubiKeyBio, the rest becomes marginally "safer" for significant more hassle.
I do not as I do not have any sensitive data and what data is sensitive are the digital documents which are securely encrypted by default via id card and its passwords.
If I start having something worth protecting I will turn on fedoras encryption. But until then anyone who manages to steal my 100 eur thinkpad and guess its password is welcome to try out linux and see if they like it I guess.
I don't but admittedly I don't do much stuff on my laptop that's super secure. it's mainly for gaming and the odd programming project.
My issue is that I can never remember "a couple more commands" for the life of me. And I use Arch BTW, so the likelihood of me needing those is a bit higher than usual.
No. I break my system occasionally and then it's a hassle.
I donât really see the point. If someoneâs trying to access my data itâs most likely to be from kind of remote exploit so encryption wonât help me. If someoneâs breaks into my house and steals my computer I doubt theyâll be clever enough to do anything with it. I guess thereâs the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. Itâs getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
Itâs far more likely that itâs me trying to recover data and Iâve forgotten my password for the drive.
Full disk encryption on everything. My Servers, PCs etc. Gives me peace of mind that my data is safe even when the device is no longer in my control.
I encrypt my workstations and backups thereof on external devices. To protect against theft or a lazy state-level adversary
I encrypt everything that leaves my house since it could be easily lost or stolen, but it is rather inconvenient.
If someone breaks into my house, I've got bigger problems than someone getting their hands on my media collection. I think it would be more likely for me to mess something up and loose access to my data than for someone to steal it.
I have no significant private data on my disks. They can be wiped whether encrypted or not if they're stolen. And I like that in theory if my pc explodes I can recover the data with only the drive.
I encrypt everything, with unique complex passwords, that I have a safe mnemonic system for remembering and retrieving.
I do, laptops and workstations.
It's just too easy not to, and there's almost no downsides to it. (I only need to reboot, once a month or two.)
Well, unless you consider the possibility of forgetting the password a downside, so for that reason I keep the password in a password manager.
In case my laptop was stolen, there would quite a couple fewer things to worry about. Especially things like client's data which could be under NDA's, etc...
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
I don't https://xkcd.com/538/
I'm convinced the chances of me losing access to the data are higher than encryption protecting it from a bad actor.
Let's be real, full disk encryption won't protect a running system and if someone has physical access and really wants it, encryption won't protect you from the $5 wrench either.
I do encrypt my phone data though, as someone running away with my phone is more realistic.
Its that simple.
I can expand my own creativity and store every thought and creative Art, without anybody being able to find out after my death or while someone raids me.
Maybe I stored an opinion against some president, and maybe the government changed its working, which allows police to raid someone for little suspection.
You never know if you ever have something to hide. While things are okay now and today, it might be highly illegal tomorrow.
Those are ideas. But generally its only about the feeling of privacy.
I encrypt all my drives. Me and the people I know get occasionally raided by the police. Plus I guess also provides protection for nosy civilians who get their hands on my devices. Unlike most security measures, there is hardly any downside to encrypting your drivesâa minor performance hit, not noticeable on modern hardware, and having to type in a password upon boot, which you normally have to do anyway.
My Laptop and Phone have encrypted drives, my Desktop doesn't.
I use encryption on laptops, because they can be stolen in the train, bus, etc. On work desktop, I do so as well, because there are many people around. However, on everything that stay at home, I prefer not to use it to simplifiy things and get more performance.
Had nosey cops trying to get into my phones illegally recently.. do not understand people that dont encrypt shit
I don't think I encrypt my drives and the main reason is it's usually not a one-click process. I'm also not sure of the benefits from a personal perspective. If the government gets my drives I assume they'll crack it in no time. If a hacker gets into my PC or a virus I'm assuming it will run while the drive is in an unencrypted state anyway. So I'm assuming it really only protects me from an unsophisticated attacker stealing my drive or machine.
Please educate me if I got this wrong.
Edit: Thanks for the counter points. I'll look into activating encryption on my machines if they don't already have it.
I would strongly encourage people to encrypt their on site data storage drives even if they never leave the house and theft isnât a realistic thing that can happen.
The issue is hard drive malfunction. If a drive has sensitive data on it and malfunctions. It becomes very hard to destroy that data.
If that malfunctioning hard drive was encrypted you can simply toss it into an e-waste bin worry free. If that malfunctioning drive was not encrypted you need to break out some heavy tools tool ensure that data is destroyed.
Only encrypt the home partition, for the root partition it just unnecessarily slows down the system.
Also, I think, there could be different approaches instead of encryption. AFAIK, android doesn't use encryption underneath, but uses a semi-closed bootloader (which means, if you install a different OS, all user data gets wiped). I'm currently investigating the feasibility of such an approach in the long term.
All my important files are on a NAS, so if someone steals my laptop, there's nothing of value there without being able to log in and mount the remote file systems
Almost everything that can be is: laptops, desktop, servers (LUKS), phone (grapheneos)
i'd really like to. but there is ONE big problem:
Keyboard layouts.
seriously
I hate having to deal with that. when I set up my laptop with ubuntu, I tried at least 3 thymes to make it work, but no matter what I tried I was just locked out of my brand-new system. it cant just be y and z being flipped, I tried that, maybe it was the french keyboard layout (which is absolutely fucked) or something else, but it just wouldnt work.
On my mint PC I have a similar problem with the default layout having weird extra keys and I just sort of work around that, because fuck dealing with terminals again. (when logged in it works, because I can manually change it to the right one.)
Now I do have about a TerraByte of storage encrypted, just for the... more sensitive stuff...
While dealing with the problems I stumbled across a story of a user who had to recover their data using muscle-memory, a broken keyboard, the same model of keyboard and probably a lot of patience. good luck to that guy.
Every endpoint device I use is using full disk encryption, yes.
I started encrypting once I moved to having a decent number of solid state drives as the tech can theoretically leave blocks unerased once they go bad. Before that my primary risk factor was at end of life recycling which I usually did early so I wasnât overly concerned about tax documents/passwords etc being left as Iâd use dd to write over the platters prior to recycling.
I used to, but then I nuked my install accidentally and I couldn't recover the encrypted data. I nuke my installs fairly regularly. I just did again this past week while trying to resize my / and my /home partitions. I've resigned myself to only encrypting specific files and directories on demand.
My phone is fully encrypted though.
It's one of those things where it depends on the computer. My old box that's running win 7 has nothing but music and backed up media files on it, isn't connected to the internet at all, and there's really no point to it being encrypted.
My laptop leaves the house, and is connected, so it gets the treatment. My general purpose PC is, though that was more just because of a random choice rather than a carefully chosen decision. I figured I'd try it for a few weeks, then nuke it if it was a problem. It hasn't been, and I haven't needed to do anything to it that would require a change.
The other people in the house have chosen not to.
I'm not certain I would encrypt my main desktop again, just because it's one more thing to do, and I'm getting lazy lol. I don't have any sensitive files at all, and if things in the world get so bad that some agency is after me, I'm going to be hiding out up in this holler I know, not worrying about leaving a computer behind. Won't be power anyway, and the only shit they'd find is some pirated files.
I'd be more worried about my phone and my main tablet than any of the PCs, and those would either go with me, or get melted down before I left. Thermite is cheap and easy.
I encrypt all my filesystems, boot partitions excluded. I started with my work laptop. It made the most sense because there is a real possibility that it gets lost or stolen at some point. But once I learned how simple encryption is, I just started doing it everywhere. It's probably not gonna come into play ever for my desktop, but it also doesn't really cost me anything to be extra safe.
Of course, I'm paranoid and don't trust the US government. Or any government really. "First they came for _____" and all that; Id rather just tell them to pound sand immediately instead of get caught with my pants down.
I encrypt my laptop and desktops and I think itâs worth it. I regret encrypting my servers because they need passwords to turn on.
Yes, and for the life of me I don't understand why there isn't a default LUKS with hibernate partition in the Debian installer.
I have stopped encrypting my drives, because if anything goes wrong and the system won't boot it makes recovery more difficult. It's a dual boot machine with Windows 11, and I had a lot of awkwardness with Bitlocker that led to me deciding to abandon encryption in both OSs. I save sensitive files to encrypted volumes in VeraCrypt.
I encrypted my professional laptop's drive in order to prevent access to company data and code in case of theft. And I'll probably encrypt my personal laptop as well because the SSH key can access company code.
As for the desktop, I didn't and probably never will, because theft is less likely and that would be a pain to handle for nightly backups (it is turned on with Wake-on-LAN and then a cron backs up my home directory to my NAS).
Finally, I won't encrypt my NAS as well for the same reason: it would quickly become a hassle as I would have to manually decrypt the drives every time it boots after a power outage.
Yeah all my drives are encrypted with LUKS mostly because of home burglaries (bad area and whatnot). I still keep backups regardless on drives that are also encrypted
Yes. I encrypt because theft. I know PopOS and Mint make it 1-click ez. ...unless of course you want home and root on a separate drives. That scales difficulty real fast. There's plenty of tutorials, and I managed, but I had to patch together different ones to get a basic setup-- Never mind understanding exactly what I did and repeating it (the latest challenge I've been dragging my feet on). I do hope this is an area that sees more development in the near future.
I encrypt my desktop and laptop but not my servers. On desktop, that excludes drives that aren't my OS/boot drive.
I always encrypt my computer SSD as well as my external backup drive. I just wish that when installing a Linux distro and when selecting encryption that it would work with multiple drives
Doesn't Pop have that by default? I think others have too.
Anyway, yes for basically everything. Except my servers main partition, because otherwise recovering from crashes would be horribly annoying or unsafe if I'd use cryptssh. And if the dns+dhcp/gateway/VPN server crashes I'd definitely need 22 open.
Yes absolutely, it is the building block of my security posture. I encrypt because I donât want thieves to have access to my personal data, nor do I want law enforcement or the state to have access if they were to raid my house. Iâm politically active and a dissident so I find it vital to keep my data secure and private, but frankly everybody should be doing it for their own protection and peace of mind
I don't do it for my desktop because 1) I highly doubt my desktop would get stolen. 2) I installed Linux before I was aware of encryption, and don't have any desire to do a reinstall on my desktop at this time.
For my laptop, yes, I do (with exception of the boot partition), since it would be trivial to steal and this is a more recent install. I use clevis to auto-unlock the drive by getting keys from the TPM. I need to better protect myself against evil maids, though - luckily according to the Arch Wiki Clevis supports PCR registers.
Yes because my distro also have encrypted /boot included
Mostly I don't, but I want to start to. I only have one laptop encrypted and of course I keep my phones encrypted.
Yes because it is one click
If I delete my drive, it is rubbish
It doesnt impact my performance much
I donât have FDE (BitLocker) enabled on my Windows 11 gaming PC. It sits in my house and has nothing on it but video games and video game related shit. I donât even have my password manager installed for logging in to Steam, GoG or whatever other launcher. I manually type passwords in from the vault on my phone if the app doesnât support QR code login like discord. Also I paid for this ridiculous m.2 nvme drive, Iâm not going to just give up iops bc i want my game install files encrypted.
I donât use FDE on my NAS. Again it doesnât leave my house. I probably should I guess, bc there is some stuff on there that would cause me to have industry certs revoked if they leaked, but idk I donât. Everything irreplaceable is backed up off site, but the down time it would take to rebuild my pirated media libraries from scratch vs just swapping disks and rebuilding has me leery.
I have FDE enabled on both my MacBooks. They leave the house with me, it seems to make sense.
I donât use FDE on Linux VMs I create on the MacBooks, the disk is already encrypted.
My iphone doesnât have the option to not use FDE I donât think.
I use encrypted rsync backups to store NAS stuff in the cloud. I use a PGP key on my yubikey to further encrypt specific files on my MacBooks as required beyond the general FDE.
I encrypt my home folder and Windows install just in case someone breaks into my house and steals my computer. Super annoying entering my password each boot though.
Depends. On external drives yes. On internal boot drive no. I had performance issues and thermal issues with it so stopped on boot drives.
I was recently intrigued to learn that only half of the respondents to a survey said that they used NO disk encryption.
Is the other half alright?