A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 108 users / day
- 435 users / week
- 1.32K users / month
- 4.54K users / 6 months
- 1 subscriber
- 4.39K Posts
- 111K Comments
- Modlog
Encfs + pam mount home.
/tmp and var/run in tmpfs
No swap.
arch linux was what forced me to use LUKS on all of my installs regardless of distros, btw.
i used the standard layout:/boot, /, /home, swap. So when the installs break, the best way to fix is to use the archiso and remount and re arch-chroot.
Well… i found out that without LUKS, anybody can use any distros live cd and mount my stuff.
At first, I used LUKs only on the main partitions: so / and /home, or just / if no separate /home. Swap remains unencrypted. Boot is also unencrypted.
You could encrypt those too but need more work and hackery stuff:
encrypted boot: can be slow if you boot the compututer from cold. There’s also this thing where you need to enter the password twice => think Fedora has an article to get around this. Iirc, it involves storing the boot’s encrypted password as a key deep within the root directory.
encrypted swap: the tricky thing is to use this with hibernation. I managed to get it to work once but with Zram stuff, I dont use hibernation anymore. It involved writing the correct arguments in the /boot/grub/grub.cfg. Basically tells the bootloader to hibernate and resume from hibernation with the correct UUID.
I like to keep a key on a USB so the computer boots either with a ridiculously strong backup password or a key on a USB drive. I like tiny little USB drives. So, if you find yourself in an airport or wherever and you just “lose” the USB then the device is automatically locked down.
I built a small set of scripts to decrypt when the initrd starts and can load from a file in the initrd (from separate volume), EFI, or various combinations of passphrase in GRUB. The main intent isn’t to keep out somebody with physical access to the machine and sufficient time but rather makes it a lot easier to make the data unrecoverable when the drive is disposed of.
It took me several attempts to get this right, but it’s a game changer.
Yep, I made sooooo many notes and tried a bunch of different options. In the end I was able to get it working well with Grub,l and Arch.
Last time I had LUKS setup on my main laptop, there was a surprizingly sharp hit in performance.
I’m glad I have the option, but is it really the most appropriate thing for me to use right now? It just doesn’t make sense to talk about security and privacy without a clear threat model first.
What kind of CPU is in that laptop? The vast majority of x86 CPUs from the past 10 years include hardware acceleration for AES encryption so that the performance hit is negligible.
It’s a Thinkpad P51 with a Xeon chip of some sort. Yeah I don’t know what happened there, only that switching to fedora without full disk encryption has resulted in much greater performance, like a difference between being able to do some gaming or not. So many variable changed there that I don’t even know if the crypto had anything to do with it.
removed by mod
The type of partition I created was Debian’s default settings at the time.
This is where the threat modeling comes in. The laptop in question is not currently likely to be physically searched - nor does it contain any data that is likely to put me at any risk if it is searched, and the more prudent things I can be doing to protect my privacy have more to do with getting away from Android/Play Store, and being less dependent on other surveillance-capitalism services like YouTube, Google Maps, etc.
I will likely use LUKS again in the future, but there are broader overhauls I need to make to my digital life first.
removed by mod
Currently I have fragments of my data stored on at least half a dozen devices that I’ve accumulated over the years. My digital life is as messy as my adhd brain. I plan on setting up a NAS at some point, and will likely both consolidate all my data there and use LUKS. But until then encrypting one drive is the least of my problems.
Although anti-theft tech in my laptop might be kind of neat.
And don’t forget folks: if this drive contains your whole digital identity, make sure your next ones do have the keys. If something happens to you, it is impossible to retrieve logins, photos, whatever your kin/whomever might need from that drive.
Same goes for e.g. homeservers, VPSs or anything your family relies on: tell them where they find the relevant logins and who could possibly help them, if they’re not capable. Grieving is hard enough, if they figure they also lost all memories of the beloved one, that’s terrible.
Yep. Can’t recover /home if you fuck around.
Keep it simple and stupid it is for me. I prefer to encrypt only my sensible files. And the browser runs in volatile memory.
I wanna encrypt my BTRFS system, but not the FAT32 boot part. Only the Linux kernels are on FAT32 anyway, and I don’t care about encrypting those — they’re public stuff, not private files. I just let limine-entry-tool hash them to make sure they’re clean for booting, that’s totally fine for me.
I don’t like putting kernels on the Linux filesystem for GRUB — it just makes booting slower and causes random issues.
Yeah but then you need to type in two passwords. A little annoying
That’s what TPM is supposed to solve. As long as nothing changes on the PC you don’t have to input a decryption password and access is protected by your usual user password.
On one of my computers I have LUKS and requires me to type in two passwords. Not sure if it has TPM
Could be a misconfiguration. Can happen when you have more than one partition that is encrypted. Grub would decrypt only root and fail to pass through the passphrase to decrypt the others. Can be fixed by putting a decryption key somewhere on the root partition and adding that to the other partitions.
That’s definitely not how it should be, unless you have two different passphrases.
Sarcasm?
It’s quite possible to set up LUKS with a USB key instead.
What if they get your laptop and your USB key then
Obviously that would be a total compromise. However this all depends on your threat model and how you usually use your laptop, and if someone were to steal it, would they also mug you for your flashdrive?
In my case, I just type the passphrase I have into the laptop, although my homelab server uses a USB so that it can unattended reboot, and I can put the USB in a secure location if it doesn’t need to reboot unattended.
Otherwise, in my case I usually go out with a laptop that if stolen, is only worth about $150 AUD so not a big financial hit. While I have LUKS as a passphrase, I’m not likely to be a target of any individual or entity that, if they really wanted my data, would also mug me for a USB key, so I could live with either.
I found it better to just encrypt one folder with all my sensitive info (I use gocryptfs). i saw no reason to have my zshrc and init.lua encrypted 🙂 and I just encrypt data I don’t want in the hands of others…
Do both
I did think about this… but decided against it in the end. maybe on my next computer
You act like encrypting the whole drive makes it take more power or something
so the issue with whole drive encryption is that all the data is decrypted 100% of the time I’m using the device. even when I sleep the device …
with one folder, I ensure it’s unmounted and encrypted before my computer sleeps.
But when your Computer is on and the drive is mounted, its also decrypted and available? What’s the attack vector here? Someone coming into my house yoinking my computer while its asleep without interrupting the power?
I have seen the use of such a device by gov’t agencies; basically a large UPS that clips onto the AC plug’s prongs so that a running server or desktop PC can be confiscated without power being interrupted.
this sounds cool. if my desktop is plugged into the wall, how would they unplug it to plug it into their device without my computer losing power momentarily?
It splices into the live power cord and supplies the same voltage in parallel. When the connection is verified good, the PC is powered from battery and can be unplugged from the wall.
jeez. so strip the live wire. splice in UPS. then switch over. sounds hard (and dangerous)
So just don’t put your Computer to sleep, but turn of off when you leave it?
usually I sleep my laptop and take it with me. with full disk encryption, if my bag gets stolen my files are all decrypted if the attacker gets past the lock screen.
getting past a lock screen is much easier than breaking encryption ofc
more importantly my desktop is online 24/7 with a static IP. if I get hacked they get all my data (bank passwords etc). but with the one folder encryption, if I get hacked they get my zshrc and init.lua 🙂
So the solution is to not put the laptop asleep but turning it off.
lol no. i currently reboot once every two weeks and find it a chore. (it’s my one complaint about arch as the kernel updates are so frequent). I’m def not going to waste time reopening all my windows and tabs every time I open my computer just to keep my zshrc encrypted. i realized long ago that security and usability are inversely related, and I picked the middle ground that suits me
And what is the advantage of that?
Files are encrypted at rest, if they are not actively interfacing with the encrypted mount it is secure. If you encrypt your entire system it’s safe from attacks when powered off, but as soon as you’re booted in the machine is fully accessible.
Browsing history, Downloads folder, cache, etc. That’s good to have encrypted.
ur def right about this. there are a few other things (e. g. cached mail etc) that would be good to encrypt, which I don’t do right now.
if my computer gets stolen I figure no one will bother with my data unless they stand to immediately gain financially. e.g. ransom. my data (I have backups) or access my bank info (I keep this encrypted) and steal my identity. so I protect against this as best as I can without sacrificing usability too much
Also I am pretty sure I have at least some secrets in my shell history
Just encrypt your home then.
Don’t forget /tmp, and maybe logs too. Theres docker storage and kvm image locations if you use that. Maybe others. FDE also makes an evil maid attack much less trivial too.
I don’t know, I don’t see a lot of damage or unpleasantness stemming from someone getting into my /tmp, but I don’t want any llm being fed contents of my /home. I am less afraid of an attack, as I am irked by corpos putting fingers into my shit
corpos aren’t who you’re protecting against with encrypted drives… they’re not going to gain access to anything via bypassing your OS: they get everything via software you’ve installed or things like tracking
the main thing you’re protecting against with encryption is theft (or if you think you’re being physically targeted, it also stops them from modifying your system… eg replacing your kernel or a binary that gives them access somehow)
Yeah, but the thing is, I’m not really afraid about anyone else. If someone steals my laptop or finds it or whatever, I don’t really care about what they do with my docker cache. And I’m not a target of any particular hacker group. I just feel dirty when corpos train their LLM on my data to sell me useless shit back, so that’s kind of the only thing that I would like to avoid.
i think they’re 2 different, but equally important things to protect against
shit companies using your information is almost guaranteed so you want to protect against that, but FDE does nothing for that
but losing your laptop with an unprotected disk can be catastrophic for your life… your entire browser session (so probably your email, and therefor password resets and confirmations), any cloud (or self hosted storage with saved credentials) storage that you have… idk about you, but the contents of my disk are plenty to steal my identity even without needing to social engineer, and with my email and other bits of info that’s plenty to social engineer probably anything up to and including a passport
training an LLM on chats might make you feel dirty, but an unencrypted disk can ruin your life for years and cause problems potentially forever
Indeed. Best to think of disk encryption as protection from physical access -i.e., theft, but also accidentally recycled drives later on. It provides zero protection from somebody attacking your running system, that’s the job of the operating system and client software like web browsers. While the system is running, the drive is decrypted and unprotected.
I just prefer fde because it’s simpler. There’s no guessing about what needs to be encrypted and what doesn’t. There isn’t any human-noticiable performance impact on modern computers, so there’s not really a downside besides having 2 password prompts whenever I actually do a full reboot.
Dang, if those agencies ever see my Civilization 4 save games, I’ll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
They should, because Civ5 is way better xD
obligatory SMAC is best comment
Setting up full-disk encryption on a Steam Deck with an on-screen keyboard should definitely be an option during SteamOS installation, but it’s a pain as it stands. It’s my only Linux device not using LUKS.
That’s one of the reasons why I installed OpenSUSE Tumbleweed on my Deck. I used unl0kr to put in my passphrase on boot. Unfortunately OpenSUSE removed the framebuffer device and the DRM backend doesn’t work correctly at the moment.
Pointless for gaming devices, nothing to hide on them, there will also be a small overhead for nothing.
your gaming account may be able to do some damage
I use mine as a computer often. When I travel it stores notes, has my email accounts, and is a productive tool.
So yeah I would like to encrypt it. As it is I use vaults and back up encrypted to my own cloud. But it would be nice to simply do the whole thing.
Ok fair. But most of those tools are cloud based? Then wouldnt have to worry about an overhead lr encryption when the drive fails.
Encryption really is not much overhead with a modern processor.
I do believe the steam deck uses a modern processor with hardware cryptology.
1-3% overhead, last i check couple years ago. No clue now.
Correct, nothing to hide because nobody gets their games from the high seas.
Seems a lot of distros put it under an advanced section in the installer, but I think the “advanced” option should be not enabling full-disk encryption, meaning you know what you’re doing and have assessed the risk.
Ideally, yes. The problem is that the non-advanced users then get prompted for their encryption key and then it’s “What are you talking about, I never set that up, what do you mean you can’t recover the photos of my grandkids!”
Here is the guide for Fedora: https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
Set up full backups you can reliably recover with before doing this.
With Luks there are several situations you can end up in where you can’t just pop your disk out and pull files from it, removing a first response to many common hardware failures.
deleted by creator
You can have your machine unencrypt using the TPM module, have a look at clevis for example. Once you’ve got it set up you can pretty much forget it’s there.