Encrypt your Linux with LUKS, like seriously.
from lunatique@lemmy.ml to privacy@lemmy.ml on 12 Oct 14:31
https://lemmy.ml/post/37434213
from lunatique@lemmy.ml to privacy@lemmy.ml on 12 Oct 14:31
https://lemmy.ml/post/37434213
This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
threaded - newest
Pretty much all beginner friendly distros have this thing (Fedora Debian Ubuntu Mint). You just have to enable it. Also make sure if you are using secure boot - remove Microsoft keys and generate your own. Also its nice to have bios password setup too.
I did not know this about secure boot, I always just disabled it.
It’s easy-- if you install on a single drive. If you want home on a separate drive, encryption is not so easy, and you have to learn about cryptsetup, crypttab, etc. Quite a steep learning curve compared to the installer. I do hope distros provide better coverage of this in the future. Having home on a separate drive and encrypted is just good practice.
Watch out about removing Microsoft’s keys! Some video drivers (nvidia) will only work with Microsoft’s keys and you might brick your system. Only remove Microsoft’s keys if you know what you’re doing.
What about data safety, backups etc.? If someone has access to my PC, that is already pretty catastrophic.
Good question. Along the same lines, if your disk is encrypted and you make a simple backup (say using cp) is the backup encrypted and if so, how do you restore from that?
if your system uses full disk encryption (such as via LUKS) and you simply copy files off to an external or a secondary drive for a ‘backup’, no. the copy is not encrypted unless the destination has encryption set up on it, too.
the alternative would be using a backup program, instead of a simply file copy, that encrypts its backups.
It depends how the backup is encrypted. Most backup solutions will give you an encryption key, or a password to a key, that you have to keep safely and securely somewhere else. If you have an online password manager or a Keepass database in cloud storage, that would be a reasonable place to keep the key. Or on a USB stick (preferably more than one because they can fail) or a piece of paper which you mustn’t lose.
the backup wouldn’t be encrypted but you can use luks to encrypt the backup drive too, the same way as you’d do with a drive in your computer.
i use rsync to send off my /home to an encrypted backup drive and restoring it you just reverse the source and destination and copy the stuff back.
I started using borg backup the other day. It also keeps deleted files for however long you want, so it protects against accidental deletes. You can basically tell it the date you want to restore from.
It can also encrypt the backup for you.
dmcrypt for backup drives. Ideally with detached encryption header, stored separately.
They can’t access your files, they just have your computer. They could delete your files by wiping your drive but they don’t have your files, ensuring your privacy
Also: encrypt everything you upload to the cloud with Cryptomator or something like that. I amazes me I used to put stuff directly in my pCloud folder.
Facts. I put everything on cloud (mega only) compressed with AES-256
I guess you mean encrypted.
No I meant compressed, it comes with the encryption.
<img alt="" src="https://lemmy.ml/pictrs/image/9a5d9375-5a8a-4977-ba50-a9cd7042865b.png">
AES-256 is just an encryption algorithm, it doesn’t do any compression on it’s own, so it’s not quite right to say its compressed with it. Really it was compressed, then afterwards encrypted with AES-256.
Sigh. I said i compress with AES-256. I compress my files with the compression that encrypts it. Just as the screenshot shows. (Compression+AES-256) I’m the OP of this post. Give me more credit. I know they are two different things. I think you just didn’t get what I was trying to say
To avoid confusion you could say, “along with”, or fully say, “I encrypt with AES-256 as I compress, in one step”.
It’s not necessarily about what you know, but about what readers will understand. (For example, someone who doesn’t know better might read what you wrote and think there is some way to compress using AES-256 and go down a rabbit hole.)
I understood what you meant, I was just pointing out that what you said was incorrect. Even in your reply you said
Which is still not entirely correct. The compression is not doing any encrypting. They are two separate processes that the tool you are using is presenting as a single step for convenience. You seem to know what you are talking about, and I happen to know about cryptography, but as someone else in the thread mentioned not everyone knows how these things work. If we are trying to spread knowledge and tips in this community (like your post is doing) then I just saw this as an opportunity to clarify something that was incorrect. Not for your benefit, but for others.
Cryptomator is good but it’s important also to keep backups of the unencrypted content of the Cryptomator vault that are not encrypted by Cryptomator. (You could encrypt the backups with another system.) Cryptomator vaults are more fragile than the underlying file system, and it’s easier for a glitch in the sync process to corrupt them so they’re unrecoverable. I have lost data due to this in the past. So it’s best to make sure all the contents of your vaults also exist somewhere else, encrypted in another way.
I used borg for my backups, but why do you say Cryptomator vaults are fragile?
It’s not that they’re especially fragile. It’s really only when you combine them with a sync process. I once had a sync go wrong and it resulted in the contents of a vault being unreadable. Because all you have are a bunch of encrypted files with meaningless names and a flattish structure, which Cryptomator interprets and mounts as a different directory structure, when something goes wrong it’s not easy to know where in the vault files the problem lies. You can’t say “ah, I’m missing the documents folder so I’ll restore that one from backup” like you could with an unencrypted directory. And if you’ve made changes since the last vault backup you can’t just restore the whole vault either. You could mount a backup of the vault from a time when it was intact, and then copy files across into your live copy, but I feel safer having a copy in another format somewhere else. Not necessary, I guess, but it can make recovery easier.
Ok, I understand. In my particular use case that shouldn’t be an issue. My Cryptomator folder is local and I use it only locally. Then there’s a sync process to copy stuff to pCloud automatically, but that copy is never touched directly by my.
But in any case as you said, backups.
Because he experienced data loss, as he says?
easy to use gui backup utilities (like pika and déjà dup) can also encrypt its backups
Inserting relevant XKCD as is required by internet law: xkcd.com/538/
<img alt="" src="https://feddit.org/pictrs/image/c79323be-58ff-4b8a-8750-6183d9fba5b4.png">
.
Not much good if they only have your laptop and not you.
You know you’re fucked if they use a wrench. That means you don’t have to be seen publicly ever again. There’s a chance for you if they’re using a rubber hose…
idk man, but I’d still much rather have encryption, even if I’m up against the alphabet boys:
What would actually happen is a bios level rootkit that installs a nearly invisible tiny rootkit on your device everytime it starts, but this is only if you are an important target. Most police departments can also just pay a private hacking company to steal your keys by using undisclosed exploits. Encryption can work well for other things but anything you wouldn’t want state or corporations seeing, you are better off just not ever putting it on your machine.
You can be private somewhat through obscurity. Using free software that doesn’t log you, not using any machine that’s in anyway tied to you to do stuff, setting up your own point to point connection to use someone else machine as your access point. Never having a microphone or camera anywhere near your hacking machine. I’m not really that type of hacker, more of a programmer/hardware person, but it can be done somewhat safely if you take every effort to protect your identity.
This is what I would do if I want ed to do something on the internet that might actually really piss off the FBI and NSA. Something like releasing the Epstein files to dozens of independent journalists around the world or something.
I’d get cash, and leave my phone at home, go to a thrift store and buy an old laptop. Wait a couple of months, and never power it on. I download dozens of Linux distros a year before this, something as small as possible, and lightweight as possible. Nothing network, maybe even tails.
Then I’d have it sitting on a thumb drive for many months before I dropped the files. One day before a lot of rain was coming in, I’d walk, not drive or anything, without my cell phone, using the tree cover to avoid spy satellite rewind surveillance, to a location where there is open wifi or an Ethernet jack.
Then I’d use several layers of proxying and VPNs, although this would be slow as shit. All on fresh accounts. Using nested VMs, each carrying an additional layer of VPNs. I’d use this as my set up my own network, by exploiting some random machines in the wild to get my last couple layers of VPNs.
Being careful to only type one word per second and not misspelling anything or in anyway aiding in any type of correlation attack, I’d first upload it in an encrypted format to a web host to speed up the next part, then I’d copy it to many places. I would then send it to as many people as possible, probably using a script to hit many emails addresses at once. As soon as the files hit the drive, I would assume I had about 5 minutes before the black helicopters showed up. At 5 mines I’d take a super strong magnet and start destroying the laptop, then I’d run away, find another safe spot, and then incinerate it.
Then I’d never tell anyone, go home, take a nap, wake up, talk to chatGPT about my amazing nap that I overslept on, and carve out some hidden spaces at abandoned houses and stuff to stash the actual drives with the info.
If you do anything less then this, you will probably get caught. Legal evidence is one thing, but you should never underestimate the numerous surveillance technologies they employ for unconstitutional surveillance. You n leed to be mindful of fingerprinting, (using only a throw away device and destroying it afterwards in a way that it’s not obvious that it was you) nothing that has ever touched your network or any files that that came from your PC or anything. It needs to exist in a totally separate universe. No connection whatsoever) you need to be mindful of cameras, license plate scanners, cellular modem surveillance, spy satellites which can see back in time to follow someone’s footsteps back through time. Correlation attacks, common word usage that can denote your region, common misspellings that you do, the particular way you type, root kits, assume every device is compromised and if you buy a device with a camera, don’t even open it until it’s been sitting for months and then remove the cameras and microphones, and never power it up anywhere near your house.
Another thing to be mindful of is fingerprinting your downloads, don’t download something on your PC and use it on your device.
Be wary of your footprints, this is why I said you would want to do this before a storm but perhaps maybe you would even tie wood to your shoes.
If you did this you could leak something like the Epstein files and probably get away with it, but if you are one of the few people who live in a neighborhood who is a hacker, I would expect that you’d have dozens of FBI agents watching every move you do and combing through your past to find any infraction that they could try to blackmail you with.
Never ever, trust an electronic device is better advice.
The same issue applies to Windows 10. I think the TPM (and a BIOS password) is supposed to address this for Windows 11 but I presume you could flush the NVRAM and access the files anyway. I don’t know what exact safeguards there are.
Either way, I am far more trustful of passwords I enter myself. Such as wafersGeezAfterCraze.
TPM uses parts of your system like hardware configuration, bios version, can even use parts of the OS, to generate a hashcode to decrypt your drive, so if anything gets replaced it wont automatically decrypt. what this allows is to have a much more complex decryption key and allows you to rely on OS security and much simpler passwords to protect your data because your OS (which cannot be replaced without breaking TPM) will protect against brute force attacks with retry delays and limits.
But it doesn’t protect against a cold boot attack though?
I think I know how this works with rEFInd, but I haven’t done it because… my drive is a dual-boot so… yeah, unless I get a laptop and install only Linux in 2030 maybe I’ll do it by then… But by then, I might need the extra security anyway.
You can still encrypt it with LUKS while dual booting in the year 2025.
fair, I JUST researched it, but, I only have that drive, where my data is, sooo if I mess up, woops, there goes my system.
I guess I’ll do it if I setup my next computer…?
Also: back in the day, you could wipe a drive with GNU Shred or just “dd if=/dev/zero of=/dev/hda”. SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
From what I understand, some modern drives effectively encrypt everything at rest, but have the key on file internally so it decrypts transparently. This allows for a fast “wipe” where it just destroys the key instead of having to overwrite terabytes.
that presumes trust in the drive manufacturer and their firmware
Limine does not have decryption, that’s just the linux kernel.
I’ve been doing that since like was first introduced as a separate library already. I don’t know better than that all my files are encrypted since well over a decade, probably almost two
how is the state of TPM unlocking atm? i don’t do it because i use my computer remotely, and having to locally unlock it would break the setup. on my laptop sure, always encrypted.
You can have your machine unencrypt using the TPM module, have a look at clevis for example. Once you’ve got it set up you can pretty much forget it’s there.
Set up full backups you can reliably recover with before doing this.
With Luks there are several situations you can end up in where you can’t just pop your disk out and pull files from it, removing a first response to many common hardware failures.
Here is the guide for Fedora: https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
Seems a lot of distros put it under an advanced section in the installer, but I think the “advanced” option should be not enabling full-disk encryption, meaning you know what you’re doing and have assessed the risk.
Ideally, yes. The problem is that the non-advanced users then get prompted for their encryption key and then it’s “What are you talking about, I never set that up, what do you mean you can’t recover the photos of my grandkids!”
Setting up full-disk encryption on a Steam Deck with an on-screen keyboard should definitely be an option during SteamOS installation, but it’s a pain as it stands. It’s my only Linux device not using LUKS.
Pointless for gaming devices, nothing to hide on them, there will also be a small overhead for nothing.
Correct, nothing to hide because nobody gets their games from the high seas.
I use mine as a computer often. When I travel it stores notes, has my email accounts, and is a productive tool.
So yeah I would like to encrypt it. As it is I use vaults and back up encrypted to my own cloud. But it would be nice to simply do the whole thing.
Ok fair. But most of those tools are cloud based? Then wouldnt have to worry about an overhead lr encryption when the drive fails.
Encryption really is not much overhead with a modern processor.
I do believe the steam deck uses a modern processor with hardware cryptology.
1-3% overhead, last i check couple years ago. No clue now.
your gaming account may be able to do some damage
That’s one of the reasons why I installed OpenSUSE Tumbleweed on my Deck. I used unl0kr to put in my passphrase on boot. Unfortunately OpenSUSE removed the framebuffer device and the DRM backend doesn’t work correctly at the moment.
Dang, if those agencies ever see my Civilization 4 save games, I’ll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
They should, because Civ5 is way better xD
obligatory SMAC is best comment
I found it better to just encrypt one folder with all my sensitive info (I use gocryptfs). i saw no reason to have my zshrc and init.lua encrypted 🙂 and I just encrypt data I don’t want in the hands of others…
Browsing history, Downloads folder, cache, etc. That’s good to have encrypted.
Just encrypt your home then.
Don’t forget /tmp, and maybe logs too. Theres docker storage and kvm image locations if you use that. Maybe others. FDE also makes an evil maid attack much less trivial too.
I don’t know, I don’t see a lot of damage or unpleasantness stemming from someone getting into my /tmp, but I don’t want any llm being fed contents of my /home. I am less afraid of an attack, as I am irked by corpos putting fingers into my shit
Also I am pretty sure I have at least some secrets in my shell history
You act like encrypting the whole drive makes it take more power or something
so the issue with whole drive encryption is that all the data is decrypted 100% of the time I’m using the device. even when I sleep the device …
with one folder, I ensure it’s unmounted and encrypted before my computer sleeps.
And what is the advantage of that?
Files are encrypted at rest, if they are not actively interfacing with the encrypted mount it is secure. If you encrypt your entire system it’s safe from attacks when powered off, but as soon as you’re booted in the machine is fully accessible.
But when your Computer is on and the drive is mounted, its also decrypted and available? What’s the attack vector here? Someone coming into my house yoinking my computer while its asleep without interrupting the power?
usually I sleep my laptop and take it with me. with full disk encryption, if my bag gets stolen my files are all decrypted if the attacker gets past the lock screen.
getting past a lock screen is much easier than breaking encryption ofc
more importantly my desktop is online 24/7 with a static IP. if I get hacked they get all my data (bank passwords etc). but with the one folder encryption, if I get hacked they get my zshrc and init.lua 🙂
Yeah but then you need to type in two passwords. A little annoying
It’s quite possible to set up LUKS with a USB key instead.
What if they get your laptop and your USB key then
Obviously that would be a total compromise. However this all depends on your threat model and how you usually use your laptop, and if someone were to steal it, would they also mug you for your flashdrive?
In my case, I just type the passphrase I have into the laptop, although my homelab server uses a USB so that it can unattended reboot, and I can put the USB in a secure location if it doesn’t need to reboot unattended.
Otherwise, in my case I usually go out with a laptop that if stolen, is only worth about $150 AUD so not a big financial hit. While I have LUKS as a passphrase, I’m not likely to be a target of any individual or entity that, if they really wanted my data, would also mug me for a USB key, so I could live with either.
Sarcasm?
That’s what TPM is supposed to solve. As long as nothing changes on the PC you don’t have to input a decryption password and access is protected by your usual user password.
On one of my computers I have LUKS and requires me to type in two passwords. Not sure if it has TPM
I wanna encrypt my BTRFS system, but not the FAT32 boot part. Only the Linux kernels are on FAT32 anyway, and I don’t care about encrypting those — they’re public stuff, not private files. I just let limine-entry-tool hash them to make sure they’re clean for booting, that’s totally fine for me.
I don’t like putting kernels on the Linux filesystem for GRUB — it just makes booting slower and causes random issues.
Yep. Can’t recover /home if you fuck around.
Keep it simple and stupid it is for me. I prefer to encrypt only my sensible files. And the browser runs in volatile memory.
And don’t forget folks: if this drive contains your whole digital identity, make sure your next ones do have the keys. If something happens to you, it is impossible to retrieve logins, photos, whatever your kin/whomever might need from that drive.
Same goes for e.g. homeservers, VPSs or anything your family relies on: tell them where they find the relevant logins and who could possibly help them, if they’re not capable. Grieving is hard enough, if they figure they also lost all memories of the beloved one, that’s terrible.