Setting up full-disk encryption on a Steam Deck with an on-screen keyboard should definitely be an option during SteamOS installation, but it’s a pain as it stands. It’s my only Linux device not using LUKS.
this post was submitted on 12 Oct 2025
161 points (98.2% liked)
Privacy
42484 readers
1508 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Pointless for gaming devices, nothing to hide on them, there will also be a small overhead for nothing.
I use mine as a computer often. When I travel it stores notes, has my email accounts, and is a productive tool.
So yeah I would like to encrypt it. As it is I use vaults and back up encrypted to my own cloud. But it would be nice to simply do the whole thing.
Correct, nothing to hide because nobody gets their games from the high seas.
Dang, if those agencies ever see my Civilization 4 save games, I'll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
Seems a lot of distros put it under an advanced section in the installer, but I think the “advanced” option should be not enabling full-disk encryption, meaning you know what you’re doing and have assessed the risk.
Ideally, yes. The problem is that the non-advanced users then get prompted for their encryption key and then it's "What are you talking about, I never set that up, what do you mean you can't recover the photos of my grandkids!"
Set up full backups you can reliably recover with before doing this.
With Luks there are several situations you can end up in where you can’t just pop your disk out and pull files from it, removing a first response to many common hardware failures.
and prevents alphabet agencies from just brute forcing into your Laptop or whatever
Inserting relevant XKCD as is required by internet law: https://xkcd.com/538/
idk man, but I'd still much rather have encryption, even if I'm up against the alphabet boys:
- They'll be up a creek if I escape, die, or vanish into the woods first
- If I hid a disk somewhere, I'd rather know they found it when they come to torture me, than have it inspected without hearing a word
- If all else fails, they'll at least have to expend a modicum of effort and resources to fight me
You know you're fucked if they use a wrench. That means you don't have to be seen publicly ever again. There's a chance for you if they're using a rubber hose...
Not much good if they only have your laptop and not you.
load more comments
(10 replies)
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
Limine does not have decryption, that's just the linux kernel.
Also: back in the day, you could wipe a drive with GNU Shred or just "dd if=/dev/zero of=/dev/hda". SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
From what I understand, some modern drives effectively encrypt everything at rest, but have the key on file internally so it decrypts transparently. This allows for a fast "wipe" where it just destroys the key instead of having to overwrite terabytes.
that presumes trust in the drive manufacturer and their firmware
Here is the guide for Fedora: https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
Pretty much all beginner friendly distros have this thing (Fedora Debian Ubuntu Mint). You just have to enable it. Also make sure if you are using secure boot - remove Microsoft keys and generate your own. Also its nice to have bios password setup too.
Watch out about removing Microsoft’s keys! Some video drivers (nvidia) will only work with Microsoft’s keys and you might brick your system. Only remove Microsoft’s keys if you know what you’re doing.
It's easy-- if you install on a single drive. If you want home on a separate drive, encryption is not so easy, and you have to learn about cryptsetup, crypttab, etc. Quite a steep learning curve compared to the installer. I do hope distros provide better coverage of this in the future. Having home on a separate drive and encrypted is just good practice.
I did not know this about secure boot, I always just disabled it.
how is the state of TPM unlocking atm? i don't do it because i use my computer remotely, and having to locally unlock it would break the setup. on my laptop sure, always encrypted.
You can have your machine unencrypt using the TPM module, have a look at clevis for example. Once you've got it set up you can pretty much forget it's there.
I've been doing that since like was first introduced as a separate library already. I don't know better than that all my files are encrypted since well over a decade, probably almost two
Also: encrypt everything you upload to the cloud with Cryptomator or something like that. I amazes me I used to put stuff directly in my pCloud folder.
Cryptomator is good but it's important also to keep backups of the unencrypted content of the Cryptomator vault that are not encrypted by Cryptomator. (You could encrypt the backups with another system.) Cryptomator vaults are more fragile than the underlying file system, and it's easier for a glitch in the sync process to corrupt them so they're unrecoverable. I have lost data due to this in the past. So it's best to make sure all the contents of your vaults also exist somewhere else, encrypted in another way.
I used borg for my backups, but why do you say Cryptomator vaults are fragile?
Because he experienced data loss, as he says?
It's not that they're especially fragile. It's really only when you combine them with a sync process. I once had a sync go wrong and it resulted in the contents of a vault being unreadable. Because all you have are a bunch of encrypted files with meaningless names and a flattish structure, which Cryptomator interprets and mounts as a different directory structure, when something goes wrong it's not easy to know where in the vault files the problem lies. You can't say "ah, I'm missing the documents folder so I'll restore that one from backup" like you could with an unencrypted directory. And if you've made changes since the last vault backup you can't just restore the whole vault either. You could mount a backup of the vault from a time when it was intact, and then copy files across into your live copy, but I feel safer having a copy in another format somewhere else. Not necessary, I guess, but it can make recovery easier.
Ok, I understand. In my particular use case that shouldn't be an issue. My Cryptomator folder is local and I use it only locally. Then there's a sync process to copy stuff to pCloud automatically, but that copy is never touched directly by my.
But in any case as you said, backups.
load more comments
(8 replies)
What about data safety, backups etc.? If someone has access to my PC, that is already pretty catastrophic.
They can't access your files, they just have your computer. They could delete your files by wiping your drive but they don't have your files, ensuring your privacy
Good question. Along the same lines, if your disk is encrypted and you make a simple backup (say using cp) is the backup encrypted and if so, how do you restore from that?
if your system uses full disk encryption (such as via LUKS) and you simply copy files off to an external or a secondary drive for a 'backup', no. the copy is not encrypted unless the destination has encryption set up on it, too.
the alternative would be using a backup program, instead of a simply file copy, that encrypts its backups.
It depends how the backup is encrypted. Most backup solutions will give you an encryption key, or a password to a key, that you have to keep safely and securely somewhere else. If you have an online password manager or a Keepass database in cloud storage, that would be a reasonable place to keep the key. Or on a USB stick (preferably more than one because they can fail) or a piece of paper which you mustn't lose.
load more comments
(1 replies)
load more comments
(1 replies)
view more: next ›