This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
so the issue with whole drive encryption is that all the data is decrypted 100% of the time I’m using the device. even when I sleep the device …
with one folder, I ensure it’s unmounted and encrypted before my computer sleeps.
But when your Computer is on and the drive is mounted, its also decrypted and available? What’s the attack vector here? Someone coming into my house yoinking my computer while its asleep without interrupting the power?
I have seen the use of such a device by gov’t agencies; basically a large UPS that clips onto the AC plug’s prongs so that a running server or desktop PC can be confiscated without power being interrupted.
this sounds cool. if my desktop is plugged into the wall, how would they unplug it to plug it into their device without my computer losing power momentarily?
It splices into the live power cord and supplies the same voltage in parallel. When the connection is verified good, the PC is powered from battery and can be unplugged from the wall.
So just don’t put your Computer to sleep, but turn of off when you leave it?
usually I sleep my laptop and take it with me. with full disk encryption, if my bag gets stolen my files are all decrypted if the attacker gets past the lock screen.
getting past a lock screen is much easier than breaking encryption ofc
more importantly my desktop is online 24/7 with a static IP. if I get hacked they get all my data (bank passwords etc). but with the one folder encryption, if I get hacked they get my zshrc and init.lua 🙂
So the solution is to not put the laptop asleep but turning it off.
lol no. i currently reboot once every two weeks and find it a chore. (it’s my one complaint about arch as the kernel updates are so frequent). I’m def not going to waste time reopening all my windows and tabs every time I open my computer just to keep my zshrc encrypted. i realized long ago that security and usability are inversely related, and I picked the middle ground that suits me
And what is the advantage of that?
Files are encrypted at rest, if they are not actively interfacing with the encrypted mount it is secure. If you encrypt your entire system it’s safe from attacks when powered off, but as soon as you’re booted in the machine is fully accessible.