This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
corpos aren’t who you’re protecting against with encrypted drives… they’re not going to gain access to anything via bypassing your OS: they get everything via software you’ve installed or things like tracking
the main thing you’re protecting against with encryption is theft (or if you think you’re being physically targeted, it also stops them from modifying your system… eg replacing your kernel or a binary that gives them access somehow)
Indeed. Best to think of disk encryption as protection from physical access -i.e., theft, but also accidentally recycled drives later on. It provides zero protection from somebody attacking your running system, that’s the job of the operating system and client software like web browsers. While the system is running, the drive is decrypted and unprotected.
I just prefer fde because it’s simpler. There’s no guessing about what needs to be encrypted and what doesn’t. There isn’t any human-noticiable performance impact on modern computers, so there’s not really a downside besides having 2 password prompts whenever I actually do a full reboot.
Yeah, but the thing is, I’m not really afraid about anyone else. If someone steals my laptop or finds it or whatever, I don’t really care about what they do with my docker cache. And I’m not a target of any particular hacker group. I just feel dirty when corpos train their LLM on my data to sell me useless shit back, so that’s kind of the only thing that I would like to avoid.
i think they’re 2 different, but equally important things to protect against
shit companies using your information is almost guaranteed so you want to protect against that, but FDE does nothing for that
but losing your laptop with an unprotected disk can be catastrophic for your life… your entire browser session (so probably your email, and therefor password resets and confirmations), any cloud (or self hosted storage with saved credentials) storage that you have… idk about you, but the contents of my disk are plenty to steal my identity even without needing to social engineer, and with my email and other bits of info that’s plenty to social engineer probably anything up to and including a passport
training an LLM on chats might make you feel dirty, but an unencrypted disk can ruin your life for years and cause problems potentially forever