Hey guys
what do you think, does it make sense to use full encryption using LUKS even on a stationary desktop PC? I have encrypted all my computers with LUKS so far, especially for notebooks this is important because I have to take them with me when I am on the road.
However, my two desktop computers are not taken to other locations and there is likewise no access by strangers. I just set up LUKS encryption here as well out of habit and additional security concerns. However, since I value performance on my desktop PCs, Iām wondering whether it makes any sense at all to use full encryption here. What do you think about this, and how do you handle it?
Personally, I think thereās no point in using full encryption on desktop workstations or servers, and so I never even bothered doing it on mine.
If you fear someone stealing (or confiscating) your desktop PC, Iād recommend using encryption.
Like always with security: What is your attack scenario?
However, I donāt think that the computational overhead is too much of an impact.
Remember, that with data recovery tools itās easy to restore your diskās content after you give away your PC and disks.
So, as far as I know, I donāt do anything on the computer that would allow anyone to confiscate my computer. And I donāt think that I am so interesting that the secret service would be on my heels. However, I do have important and sensitive data on my computers for work purposes, which in turn synchronize with a self-built Nextcloud instance on a Raspberry Pi 4B. I would also be interested to know what the āusual scenarioā is for us Manjaro users in this area.
Simple answer:
Desktop PC:
- If you trust people/your family in your home, no need full encryption.
- If you donāt trust people in other location (not your home), then use full encryption or home encryption.
Laptop as mobile device in anywhere
- Always full encryption or home encryption.
Encryption or not encryption?
It is as opinionated as it gets and equally impossible to have an opinion of.
If you think your personal files and browser history cannot stand normal spouse scrutiny then you should encrypt your files.
If your work contains sensitive information such as e.g. a psychiatrist or similar then you should encrypt your system.
If you were a hacker/cracker/IP thief you wouldnāt need to ask.
If you were a govenment official or dealing with classified documents etc. - you wouldnāt have to ask.
If you just feel important, donāt bother - itās just your imagination playing you.
Modern processors have accelerated AES instruction set. Performance is a moot issue. Your CPU and RAM are much faster than the limits and bottlenecks of reading/writing to storage media anyways. (Yes, even to and from SSDs.)
Encryption.
Itās not a matter of opinion. Encryption is always superior. Every time. Without exception. Always. Forever. Thatās just a fact. F - A - C - T. Fact.
Amen!
Oh yeahhhhhhhhh!
Thatās inconsiderate and offensive to the polite hackers and thieves. Just the other day a thief tried to pickpocket my wallet. When I caught him in the act, he apologized for the inconvenience. Because he was so polite and respectful, I voluntarily handed him my wallet. I even invited him over to my house to give him my laptop. He was frustrated because everythingās encrypted with LUKS. So I did the right thing and told him the passphrase to unlock it. He was sooooooo grateful and appreciative! I really made his day. What a guy. Forgot to get his nameā¦
Oh yeah? A public school janitor works for the government. Heās always asking me about this stuff.
There is a middle ground where you donāt need to use encryption. Just put all your āimportantā and sensitive files in a folder named Math Homework
. Hackers wonāt even bother to check its contents. Math is boring!
This is a trick everybody knows
I was a fan of FDE until I rebooted two machines this morning (one popOS and one Manjaro) and encountered cryptSetup errors that Iāve yet to resolve.
Apart from that, itās not very computationally expensive and seems to mostly affect startup. As others have stated, it depends on your individual context.
Youāre quoting me out of context. Your reply is suspiciously missing a very important key point from my post.
I didnāt only sayā¦
ā¦I also reinforced it withā¦
I was top of my class in the highschool debate club.
Many have tried to best me. All have failed.
When you put it that way - the existential question becomes
To encrypt or not to encrypt - that is the choice ā¦
Iāve been using full disk encryption[1] for about 2 years now. This is the first time Iāve had an issue (that wasnāt of my own making). Having said that, I have two backup so I havenāt lost any data.
[1] Unencrypted /boot
Answering this question adequately is pretty much impossible.
The basic premise here is that one needs to construct a thread model.
You should be asking yourself some basic questions.
The first question you should ask is whether or not you actually have data on your computer that is worth protecting. Then you should determine who or what you think youāll ever need it to be protected from.
In general, I think people should encrypt all of their devices, since the performance impact is negligible for most people, especially if your CPU has builtin instructions for AES in XTS mode.
The reason I think this, is mainly because people often donāt realize just how much personal information is stored on their computers. That said, if you donāt have any truly sensitive information on your computer, given the fact that itās a desktop PC and the assumption that someone wonāt just be able to pull the hard drive whilst your not looking, you most likely donāt need FDE.
The main thing you probably should consider is the risk of losing a password and getting locked out of your drive. You can set up keyfile decryption as a backup, but that will just increase your attack surface.
Really, this is something you should decide for yourself. If you can live with the potential consequences of encrypting your drives, then do it. Otherwiseāagain assuming you donāt have sensitive information on the driveājust keep it unencrypted.
Since you have 2 desktop system you could try using one without encryption and see for yourself if it is any better for your needs
I have never tested speed for an SSD but I tested an HDD (5-6 years ago) and access time was marginally quicker without encryption
I have never used any encryption on desktop systems because I considered it more likely that I would lose access to important data than experience any external threat
and enjoying the simplicity of one less potential point of failure
There is no way to prevent access to encrypted data by government agents in this country. Refusing to hand over encryption keys can result in 2-5 years jail time. So hiding the data location is more of a concern than encryption
@winnie
Your opinion + spelling bee + suspicious split-infinitive - evidence = 0 factual basis
I suspect this is truthiness rather than truth