This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.
I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.
If your computer isn’t encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login
Benefits of Using LUKS with GRUB Enhanced Security
- Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
- Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.
Compatibility with GRUB
- Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
- Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.
Set up full backups you can reliably recover with before doing this.
With Luks there are several situations you can end up in where you can’t just pop your disk out and pull files from it, removing a first response to many common hardware failures.
Also: back in the day, you could wipe a drive with GNU Shred or just “dd if=/dev/zero of=/dev/hda”. SSDs and NVMe drives have logic about where and what to overwrite that makes this less effective, leading to the possibility of data recovery from old drives. If the data is always encrypted at rest and the key is elsewhere (not on the drive, in a yubikey or TPM chip or your head), then the data is not recoverable.
From what I understand, some modern drives effectively encrypt everything at rest, but have the key on file internally so it decrypts transparently. This allows for a fast “wipe” where it just destroys the key instead of having to overwrite terabytes.
that presumes trust in the drive manufacturer and their firmware
how is the state of TPM unlocking atm? i don’t do it because i use my computer remotely, and having to locally unlock it would break the setup. on my laptop sure, always encrypted.
I think I know how this works with rEFInd, but I haven’t done it because… my drive is a dual-boot so… yeah, unless I get a laptop and install only Linux in 2030 maybe I’ll do it by then… But by then, I might need the extra security anyway.
You can still encrypt it with LUKS while dual booting in the year 2025.
fair, I JUST researched it, but, I only have that drive, where my data is, sooo if I mess up, woops, there goes my system.
I guess I’ll do it if I setup my next computer…?
The same issue applies to Windows 10. I think the TPM (and a BIOS password) is supposed to address this for Windows 11 but I presume you could flush the NVRAM and access the files anyway. I don’t know what exact safeguards there are.
Either way, I am far more trustful of passwords I enter myself. Such as wafersGeezAfterCraze.
TPM uses parts of your system like hardware configuration, bios version, can even use parts of the OS, to generate a hashcode to decrypt your drive, so if anything gets replaced it wont automatically decrypt. what this allows is to have a much more complex decryption key and allows you to rely on OS security and much simpler passwords to protect your data because your OS (which cannot be replaced without breaking TPM) will protect against brute force attacks with retry delays and limits.
But it doesn’t protect against a cold boot attack though?
Yeah but then you need to type in two passwords. A little annoying
Sarcasm?
