From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I used to, but not anymore, except for my laptop I plan on taking with me travelling. My work laptop and personal laptop are both encrypted.
I figure my home is safe enough, and I only really need encryption if I'm going to be travelling.
One of my friends locked himself out of his PC and all his data because he forgot his master password, and I don't want to do that myself lol
Exactly the same rationale as mine.
No.
I spend a significant amount of time on other things, e.g. NOT using BigTech, no Facebook, Insta, Google, etc where I would "volunteer" private information for a discount. I do lock the physical door of my house (most of the time, not always) and have a password ... but if somebody is eager and skilled enough to break in my home to get my disks, honestly they "deserve" the content.
It's a bit like if somebody where to break in and stole my stuff at home, my gadgets or jewelry. Of course I do not welcome it, nor help with it hence the lock on the front door or closed windows, but at some point I also don't have cameras, alarms, etc. Honestly I don't think I have enough stuff worth risking breaking in for, both physical and digital. The "stuff" I mostly cherish is relationship with people, skills I learned, arguably stuff I built through those skills ... but even that can be built again. So in truth I don't care much.
I'd argue security is always a compromise, a trade of between convenience and access. Once you have few things in place, e.g. password, 2nd step auth, physical token e.g. YubiKeyBio, the rest becomes marginally "safer" for significant more hassle.
No. I break my system occasionally and then it's a hassle.
I don’t really see the point. If someone’s trying to access my data it’s most likely to be from kind of remote exploit so encryption won’t help me. If someone’s breaks into my house and steals my computer I doubt they’ll be clever enough to do anything with it. I guess there’s the chance that they might sell it online and it gets grabbed by someone who might do something, but most of my important stuff is protected with two factor authentication. It’s getting pretty far fetched that someone might be able to crack all my passwords and access things that way.
It’s far more likely that it’s me trying to recover data and I’ve forgotten my password for the drive.
I wanted to but everyone on Lemmy told me I was an idiot for wanting a feature Mac and Windows have had for a decade (decrypt on login) .
But seriously it's just not there on Linux yet. Either you encrypt and have two passwords, or give up convenience features like biometrics. Anything sensitive lives somewhere else.
You're an idiot, go back to macOS you fucking normie
(/s, I'm also waiting for TPM encryption + user home encryption)
Clevis pretty much does TPM encryption and is in most distros' repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
How hard is clevis to setup?
I’ve seen it referenced for encrypted servers, but I haven’t tried setting it up.
Unencrypted boot is unfortunate. What are PCR registers?
(Note: Anything I say could be B.S. I could be completely misunderstanding this.)
Clevis isn’t too difficult to set up - Arch Wiki documents the process really well. I’ve found it works better with dracut that mkinitcpio.
As for PCR registers (which I haven’t set up yet but should), what I can tell, it sets the hash of the boot partition and UEFI settings in the TPM PCR register so it can check for tampering on the unencrypted boot partition and refuse to give the decryption keys if it does. That way, someone can’t doctor your boot partition and say, put the keys on a flash drive - I think they’d have to totally lobotomize your machine’s hardware to do it, which only someone who has both stolen your device and has the means/budget to do that would do.
You do need to make sure these registers are updated every kernel update, or else you’ll have to manually enter the LUKS password the next boot and update it then. I’m wondering if there’s a hook I can set up where every time the boot partition is updated, it updates PCR registers.
My laptops are encrypted in case they get stolen or someone gets access to them at uni.
Honestly... Why bother? If someone gains remote access to my system, an encrypted disk won't help. It's just a physical access preventer afaik, and I think the risk of that being necessary is very low. Encrypted my work computer because we had to and that environment also made it make more sense, I technically had sensitive customer info on it, though I worked at Oracle so of course they had to make it as convoluted and shitty as possible.
You're somewhat right in the sense that the point of disk encryption is not to protect from remote attackers. However, physical access is a bigger problem in some cases (mostly laptops). I don't do it on my desktop because I neither want to reinstall nor do I think someone who randomly breaks in is going to put in the effort to lug it away to their vehicle.
Certainly didn't mean to say it's never useful, just not useful for me
Most mobile/laptop devices should be encrypted by default. They are too prone to loss or theft. Even that isn't sufficient with border crossings where you are probably better off wiping them or leaving them behind.
My desktop has no valuable data like crypto, sits in a locked and occupied house in a small rural community with relatively low crime (public healthcare, social security, aging population). I have no personal experience of property theft in over half a decade.
I encrypt secrets with a hardware key. They are only accessed as needed. This is a much more appropriate solution than whole disk encryptiom for my circumstances. Encrypting Linux packages and steam libraries doesn't offer any practical benefit and unlocking my filesystem at login would not protect from network exfiltration which is a more realistic risk. It adds overhead.and another point of failure for no real benefit.
I used to, but it's proven to be a pain more often than a blessing. I'm also of the opinion that if a bad actor capable of navigating the linux file system and getting my information from it has physical access to my disk, it's game over anyway.
No, I don't encrypt. I am a grown ass man and I rarely take my laptop out of my home. I don't have any sensitive data on my various machines. I do use secure and encrypted cloud services to store things that I consider a security risk. Everything else is useless to a potential intruder.
I do encrypt my drives, and it’s not as transparent in Linux as it is in the others. I’m sure I could get a TPM setup for seamless boots, but I haven’t done that yet.
For mobile drivers, I still encrypt, but that locks them to one OS since LUKS isn’t cross platform. There is VeraCrypt for cross-platform encryption, but that’s one more thing to manage and install.
I do on all my devices that can as a matter of practice, not for any real threat. I'm interested to learn about how to set it up and use it on a daily basis including how to do system recoveries. I guess it's largely academic.
Once I switched to linux as my daily driver, I didn't have a need to do piracy anymore since all the software I need is FOSS.
I don't encrypt because it's too much effort to learn about it.
Id rather keep my filesystem unencrypted so that I can easily recover from problems and encrypt important files as needed, but let's be real I don't do that either.
yes. if you live in a country without democracy. it is the only way to protect yourself and your data from nsa agent kicking your door.
Depends on the use case. Definitely for my laptop though. In fact the decryption keys only exist in two places:
I don't wanna risk losing anything on the drive thats important .
May i suggest a technique for remembering the password?
write it down
but instead of writing down the password, write down questions that only you can reasonably answer. For example:
and the answer would be: "mary beach rodeo" or idk what. this way, you construct a password out of multiple words that each are an answer to a simple question.
For my laptop, yeah. I rarely actually use it though. For my desktop not so much. I really don't keep that much personal information on it to begin with, and if someone breaks into my house they could probably get more by stealing the desk my computer is sitting on then by stealing the computer. It just feels like a silly thing to waste my time with.
Yep. Everything except my server, which needs to be able to boot without my help. Because why not? I rarely ever reboot anything, so it doesn’t really hurt, and if anyone steals my shit they won’t get my wife’s noods.
My drives are not encrypted because it's a hassle if things start going wrong. My NAS is software raid so the individual disks mean nothing anyway. The only drive that is encrypted is my backup disk and I'm not really sure if it was needed.
Its that simple.
I can expand my own creativity and store every thought and creative Art, without anybody being able to find out after my death or while someone raids me.
Maybe I stored an opinion against some president, and maybe the government changed its working, which allows police to raid someone for little suspection.
You never know if you ever have something to hide. While things are okay now and today, it might be highly illegal tomorrow.
Those are ideas. But generally its only about the feeling of privacy.
Full disk encryption on everything. My Servers, PCs etc. Gives me peace of mind that my data is safe even when the device is no longer in my control.
Asahi Linux doesn't support encryption and getting it to work requires a lot of steps and that I reinstall it which I don't have time for, so I don't have it enabled on my laptop, and if it gets stolen or confiscated I'm fucked.
I have it enabled on my server and phone.
@sudoer777 @monovergent , create an encrypted container? It's a little tedious, but fairly distro agnostic.
Edit: Definitely throw together scripts to simplify the process of unlocking and mounting.
I use encryption on laptops, because they can be stolen in the train, bus, etc. On work desktop, I do so as well, because there are many people around. However, on everything that stay at home, I prefer not to use it to simplifiy things and get more performance.