LUKS full encryption for desktop PCs - a question of sense

Hey guys :blush:
what do you think, does it make sense to use full encryption using LUKS even on a stationary desktop PC? I have encrypted all my computers with LUKS so far, especially for notebooks this is important because I have to take them with me when I am on the road.
However, my two desktop computers are not taken to other locations and there is likewise no access by strangers. I just set up LUKS encryption here as well out of habit and additional security concerns. However, since I value performance on my desktop PCs, Iā€™m wondering whether it makes any sense at all to use full encryption here. What do you think about this, and how do you handle it?

Personally, I think thereā€™s no point in using full encryption on desktop workstations or servers, and so I never even bothered doing it on mine. :man_shrugging:

If you fear someone stealing (or confiscating) your desktop PC, Iā€™d recommend using encryption.

Like always with security: What is your attack scenario?

However, I donā€™t think that the computational overhead is too much of an impact.
Remember, that with data recovery tools itā€™s easy to restore your diskā€™s content after you give away your PC and disks.

So, as far as I know, I donā€™t do anything on the computer that would allow anyone to confiscate my computer. :innocent: And I donā€™t think that I am so interesting that the secret service would be on my heels. :grin: :stuck_out_tongue_winking_eye: However, I do have important and sensitive data on my computers for work purposes, which in turn synchronize with a self-built Nextcloud instance on a Raspberry Pi 4B. I would also be interested to know what the ā€œusual scenarioā€ is for us Manjaro users in this area.

Simple answer:

Desktop PC:

  • If you trust people/your family in your home, no need full encryption.
  • If you donā€™t trust people in other location (not your home), then use full encryption or home encryption.

Laptop as mobile device in anywhere

  • Always full encryption or home encryption.
1 Like

Encryption or not encryption?

It is as opinionated as it gets and equally impossible to have an opinion of.

If you think your personal files and browser history cannot stand normal spouse scrutiny then you should encrypt your files.

If your work contains sensitive information such as e.g. a psychiatrist or similar then you should encrypt your system.

If you were a hacker/cracker/IP thief you wouldnā€™t need to ask.

If you were a govenment official or dealing with classified documents etc. - you wouldnā€™t have to ask.

If you just feel important, donā€™t bother - itā€™s just your imagination playing you.

3 Likes

Modern processors have accelerated AES instruction set. Performance is a moot issue. Your CPU and RAM are much faster than the limits and bottlenecks of reading/writing to storage media anyways. (Yes, even to and from SSDs.)

1 Like

Encryption.

Itā€™s not a matter of opinion. Encryption is always superior. Every time. Without exception. Always. Forever. Thatā€™s just a fact. F - A - C - T. Fact.

Amen!

Oh yeahhhhhhhhh! :beverage_box:

Thatā€™s inconsiderate and offensive to the polite hackers and thieves. Just the other day a thief tried to pickpocket my wallet. When I caught him in the act, he apologized for the inconvenience. Because he was so polite and respectful, I voluntarily handed him my wallet. I even invited him over to my house to give him my laptop. He was frustrated because everythingā€™s encrypted with LUKS. So I did the right thing and told him the passphrase to unlock it. :blush: He was sooooooo grateful and appreciative! I really made his day. What a guy. Forgot to get his nameā€¦ :pensive:

Oh yeah? A public school janitor works for the government. Heā€™s always asking me about this stuff.

There is a middle ground where you donā€™t need to use encryption. Just put all your ā€œimportantā€ and sensitive files in a folder named Math Homework. Hackers wonā€™t even bother to check its contents. Math is boring! :sleeping:

This is a trick everybody knows :smirk::wink:

1 Like

I was a fan of FDE until I rebooted two machines this morning (one popOS and one Manjaro) and encountered cryptSetup errors that Iā€™ve yet to resolve.

Apart from that, itā€™s not very computationally expensive and seems to mostly affect startup. As others have stated, it depends on your individual context.

Yes. Except for :

  • Speed
  • Maintenance
  • Fault Tolerance



ā€¦

1 Like

Youā€™re quoting me out of context. Your reply is suspiciously missing a very important key point from my post.

I didnā€™t only sayā€¦

ā€¦I also reinforced it withā€¦


I was top of my class in the highschool debate club. :trophy:

Many have tried to best me. All have failed.

When you put it that way - the existential question becomes

To encrypt or not to encrypt - that is the choice ā€¦

:skull:

1 Like

Iā€™ve been using full disk encryption[1] for about 2 years now. This is the first time Iā€™ve had an issue (that wasnā€™t of my own making). Having said that, I have two backup so I havenā€™t lost any data.

[1] Unencrypted /boot

1 Like

Answering this question adequately is pretty much impossible.
The basic premise here is that one needs to construct a thread model.
You should be asking yourself some basic questions.

The first question you should ask is whether or not you actually have data on your computer that is worth protecting. Then you should determine who or what you think youā€™ll ever need it to be protected from.

In general, I think people should encrypt all of their devices, since the performance impact is negligible for most people, especially if your CPU has builtin instructions for AES in XTS mode.
The reason I think this, is mainly because people often donā€™t realize just how much personal information is stored on their computers. That said, if you donā€™t have any truly sensitive information on your computer, given the fact that itā€™s a desktop PC and the assumption that someone wonā€™t just be able to pull the hard drive whilst your not looking, you most likely donā€™t need FDE.

The main thing you probably should consider is the risk of losing a password and getting locked out of your drive. You can set up keyfile decryption as a backup, but that will just increase your attack surface.
Really, this is something you should decide for yourself. If you can live with the potential consequences of encrypting your drives, then do it. Otherwiseā€“again assuming you donā€™t have sensitive information on the driveā€“just keep it unencrypted.

Since you have 2 desktop system you could try using one without encryption and see for yourself if it is any better for your needs

I have never tested speed for an SSD but I tested an HDD (5-6 years ago) and access time was marginally quicker without encryption

I have never used any encryption on desktop systems because I considered it more likely that I would lose access to important data than experience any external threat
and enjoying the simplicity of one less potential point of failure
There is no way to prevent access to encrypted data by government agents in this country. Refusing to hand over encryption keys can result in 2-5 years jail time. So hiding the data location is more of a concern than encryption

@winnie
Your opinion + spelling bee + suspicious split-infinitive - evidence = 0 factual basis
I suspect this is truthiness rather than truth