
Ask HN: How do you encrypt your laptops? - codegeek
Read this story about lost macbook pro [0], I am wondering about the encryption tools for laptops. Even though a lot of work we do these days is on cloud (github&#x2F;bitbucket&#x2F;gitlab, dropbox etc), I still would hate to lose my laptop specially if unencrypted<p>[0] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11759741
======
zeveb
I'm running Debian, so I have LUKS full-disk encryption running; I consider it
a _sine qua non_ of running a personal computer.

I wish it were a bit easier to enable per-user encrypted home directories as
well (yes, layered: CPUs are fast, and security is worth the cost), but … I'm
lazy.

~~~
discordance
May I ask a hypothetical?

If you were stopped at a border crossing and asked to unlock your drive for
inspection, would you do so?

~~~
PhantomGremlin
_If you were stopped at a border crossing and asked to unlock your drive for
inspection, would you do so?_

It's not necessary to cross a border anymore with anything "interesting" on
your laptop.

Just push everything of value to the cloud before crossing. Carry a USB drive
with an OS on it. Format your laptop before crossing. Let them have fun
"inspecting". Oh, and I'd advise doing something like

    
    
       dd if=/dev/zero of=/dev/rdiskX bs=1m
    

before loading the clean OS. That way there's nothing of value on the drive
even if forensic tools are used to look for previous data.

Or maybe just use a Chromebook. They can't force you to unlock access to any
cloud accounts, can they? Certainly not as a pre-condition for crossing a
border? With a court order, yes, but then you definitely need to get an
attorney involved to protect you.

~~~
srean
The fly in that ointment is that govts tend to have these deniable 'deals'
with these major cloud providers. So make sure whatever you push is encrypted
well.

------
de_dave
I use the standard hardware encryption of my SSD (a Samsung 830 in my 2012-era
Dell XPS 13), which requires I enter the passphrase when I turn my machine on.

Advantages:

    
    
      - OS neutral
      - Seemingly as fast as running 'unencrypted' 
        (I assume performance is identical, the only
        difference being the passphrase is stored in
        my head rather than the BIOS)
    

Disadvantages:

    
    
      - Limited to an 8-char (!) ASCII passphrase
      - I've no idea how secure it really is
      - Can't audit the algorithm (not that I have
        the technical ability to)

~~~
d33
That sounds like an annoyance, not encryption to me.

~~~
centizen
It's the 8-char password that I find absurd - that would take about 2 hours to
brute force max.

~~~
jkot
I think hdd will wipe itself after N incorrect attempts.

~~~
dmd
So you copy the drive first.

~~~
jcrawfordor
Encryption is done in drive hardware, so copying the drive is possible via
hardware attacks but would be a pretty involved lab operation. Would
definitely take longer and require more sophistication than many in-practice
crypto exploits.

------
yardie
Macbook Pro running El Capitan. The firmware is password locked so no one can
change the boot disk, the SSD, Samsung 840 Pro, is encrypted with FileVault2.

I also have guest access enableD to entice the unauthorised user to login and
connect to the internet. Where I can lock or nuke the laptop using iCloud.

One thing I missed about the old OpenFirmware Macs was that you could
personalise a message into the firmware boot screen like, "Call me: +1 305 555
222 for a reward!" The current FileVault login page has no such option.

~~~
cookiemonsta
"The firmware is password locked" \- how did you enable this?

~~~
sigjuice
[https://support.apple.com/en-us/HT204455](https://support.apple.com/en-
us/HT204455)

~~~
bitserf
how is an Apple service provider able to bypass this? if they can, so can an
adversary, no?

------
ShaneOG
I use Mac OS X FileVault2, with a firmware password. It's incredibly easy to
set up and should be good enough to protect my data from the majority of
thieves.

Coupled with encrypted Time Machine backups and Arq[0] I feel relatively ok
about losing my machine.

[0] [https://www.arqbackup.com](https://www.arqbackup.com)

~~~
kogepathic
Just so you're aware, the firmware password on a Mac can easily be bypassed by
anyone with an SPI writer. [1] Using a teensy and a chip clip, someone can
clear the password or bypass the password check completely.

So, it will keep the honest out, but for someone who knows what they're doing,
it will only prove a mild inconvenience.

This obviously doesn't help them bypass FDE, but in case they want to steal
the laptop and not have a brick, the SPI writer works a treat.

[1] [https://trmm.net/SPI_flash](https://trmm.net/SPI_flash)

~~~
coldtea
FDE is not supposed to be an anti-stealing mechanism anyway.

Besides any potential thief wont even know whether you're running FDE or not
on the laptop they steal, or whether it would be bricked or not. They can
always sell it for its parts (screen, etc) anyway.

~~~
nickpsecurity
It actually _is_ a mechanism to reduce impact of theft. Someone with access to
your computing hardware might modify it to subvert the system, read
keystrokes, decrypt drive, leak it, and so on. This can be as simple as
Customs installing something as you leave the country during an "inspection"
then reading keys right off when you come back. Not saying it happens so much
as a concern we had during a brainstorm. Or someone plugging in an attack tool
into your Firewire port while you take a piss at Starbucks. Or you plug in USB
drive they dropped with a radio and attack kit in its connector.

Whereas, if someone straight-up steals it, they have no chance of recovering
data if the encryption is strong and key isn't in memory (eg cold boot). You
can also transmit media through untrusted channels that way. Even NSA's Inline
Media Encryptor, which my inspired my designs, has that use case.

~~~
coldtea
> _It actually is a mechanism to reduce impact of theft._

Sure, but that's different from anti-stealing (and I mean stealing the machine
of course, not the data).

------
mkohlmyr
I don't have any files on my personal laptop.

I have a USB key or two on my key-ring, and in theory I have an external hard-
drive although currently I don't use it.

I keep code on a VM and GitHub.

In general I don't really have anything I can't lose or have made public.
Instead of looking at my laptop as a thing I have to protect I look at it as a
thing that will inevitably be lost, damaged or replaced.

~~~
wepple
What about session tokens to cloud services you likely use?

~~~
mkohlmyr
My primary accounts are not left logged in. I don't let my browser auto-fill
passwords. Github for example has two-factor enabled. I somewhat regularly
clean my browser data.

If a nation-state wants to "get me", they will. In fact most of us would
probably not be able to withstand a targeted attack by a skilled or simply
motivated attacker.

I don't expect my hard-drive being encrypted would save me in court. I
probably wouldn't ultimately withstand a prolonged beating in defense of it
either.

It all comes down to whether your juice is worth the squeeze. I have very
little juice (on display), and I don't give anyone much reason to suspect
there's more juice out there.

~~~
jcrawfordor
There are a lot of low-hanging fruit forensic techniques that would allow for
recovery of data that was once on the device and you now think to be gone,
like session tokens and cookies. One of the major reasons to use full-drive
encryption is so that these forensic artifacts will be encrypted in addition
to the files you still actually keep around. This is also why you should
enable full-disk encryption at the very beginning, OR wait while the entire
drive is rewritten when you enable it.

------
AdmiralAsshat
\- Bitlocker on my Windows 10 Pro laptop (because I'm more concerned about an
everyday thief prying open my laptop than a government agent)

\- ChromeOS built-in encryption/LUKS FDE on the Fedora partition on my
Chromebook

I should probably encrypt my Android phone and tablet, but I had a bad
experience with performance overhead when I encrypted my last phone.

~~~
astrobase_go
Depending on which version of Android you're running, you may be pleasantly
surprised. Manually encrypted an HTC One m9 (Lollipop) and found no noticeable
performance decrement, and now with it enabled by default in Marshmallow it's
unnoticeable.

~~~
Flimm
The main annoyance with full-disk encryption on Android is that it disables
several handy features of the lock screen, such as being able to take a photo
directly from the lock screen.

~~~
fwn
I just checked that on three devices and I am certain that this is a problem
unconnected to encyption. Not sure how, but you might be able to solve this
somehow.

------
georgestephanis
Yup, encrypt every time.

Otherwise, they may be able to snag your SSH RSA keys off of the hard drive,
and if you've password protected it, they can try to brute force it.

Also, it helps safeguard against border patrol wanting to access your data
while traveling.

~~~
spilk
Store your keys on a hardware token to reduce the chances of this happening
(Nitrokey, Yubikey, OpenPGP smart card, etc.)

~~~
jason_slack
the way I read about Yubikey is that it is for websites, accounts, etc. Can
you use it to log into your actual OS?

~~~
toyg
Yes, with a bit of setup and depending on your OS.

My problem with hardware tokens is simply that I lose them.

~~~
gargravarr
I keep mine on my car keys. Problem solved.

~~~
jaeh
Then you (inevitably, Murphy's ...) lose your car keys. Now you have two
problems. :p

~~~
superobserver
Or stow a backup of your (yubikey) hardware in an encrypted (hopefully, zero-
knowledge based) cloud service and restore when lost.

------
Johnny_Brahms
So, the dawn of SSDs has made hibernation and sleep redundant. I use FDE for
my SSD (luks, and whatever good defaults ubuntu gives me).

As for the cloud, I store nothing sensitive on there. I used truecrypt, but
now I find VeraCrypt easier to use and install. I lost my last installer of
truecrypt, and I don't trust the ones floating around.

VeraCrypt hasn't been audited yet. This is a bad thing :)

~~~
leejoramo
I have been looking for any sort of software review of VeraCrypt or
suggestions by security experts that they use and recommend VeraCrypt. I want
something more than unknown people in forums saying they use it.

~~~
Johnny_Brahms
Well then, use something battle tested like cryptsetup then. It is not as nice
though.

~~~
Mandatum
I assume he's looking for an open-source option for Microsoft Windows. OSX and
Linux is largely "solved". The Microsoft stack is less so after TrueCrypt's
downfall.

------
astrobase_go
For Mac, FileVault2. For Debian, LUKS full-disk.

It's tangential, but while on the topic of securing lost laptops, you should
also password-protect GRUB and BIOS. Ideally, all three will use different
passwords that are relatively long. Properly securing these elements in
addition to having full-disk encryption will make your lost laptop useless to
the would-be thieves.

------
heartsucker
I use FileVault on my MacBook and LUKS on my Debian machine. The only thing I
really can't afford to lose is photos and art (backedup to Google Drive and
and an external hard drive), and SSH/GPG/etc. keys which are backed up to
USBs. I could lose most of my hardware and be ok.

------
cpbotha
I find it interesting that nobody yet has mentioned TCG Opal with any of the
latest popular consumer self-encrypting SSDs such as the Samsung EVOs and
PROs.

You get full speed disk access and SSD friendly encryption (the disk is always
encrypted anyways) and a relatively elegant way to install an unencrypted boot
loader (PBA) that prompts you for your password.

There's a great open source Linux-based system for managing all of this (see
my writeup [https://vxlabs.com/2015/02/11/use-the-hardware-based-full-
di...](https://vxlabs.com/2015/02/11/use-the-hardware-based-full-disk-
encryption-your-tcg-opal-ssd-with-msed/) ) and I hear recent windows has built
in support.

------
acomjean
I use the Mac Disk Utility to create an encrypted volume. I use that volume to
store sensitive files. Its just one file so its fairly easy to back up in its
encrypted form.

The main hassle is I have to open the drive and enter the password before
using. But its used infrequently.

~~~
BooneJS
This is my method as well. +1

------
cyphar
LVM on top of dm-crypt with LUKS. Both swap and my btrfs root partition are in
the LUKS volume. While that works fine, I wish it wasn't necessary to use LVM.
Once btrfs supports encrypted drives, I'll be closer to not needing raw LUKS
or LVM (hopefully btrfs would just use the dm-crypt kernel APIs). But
encrypted swap is very important (your encryption key or other sensitive data
could end up on a decrypted part of your disk after your laptop dies
suddenly). So currently I'm SOL if I want to use a swap partition, maybe I
should add a loopback device in btrfs that is non-cow?

------
tmaly
I originally had the encryption turned on for my macbook I purchased back in
2015. It ran fast enough that I did not mind it.

The thing that ultimately convinced me not to use it was a seasoned apple
store employee. He said if something goes wrong and you have it turned on, we
cannot recover your data for you.

I am more risk averse, so I went with not encrypting the entire drive.

If I did need some encryption on OSX, I would probably go with creating a
directory and using the Disk Utility that is built into OSX to just encrypt
that directory.

~~~
ThatGeoGuy
> He said if something goes wrong and you have it turned on, we cannot recover
> your data for you.

Contrary to the belief of the person you spoke to, this is a feature of
encryption, not a bug. And you are not more risk averse by leaving encryption
off, you're taking a bigger risk and assuming that the hardware will fail and
you'll lose everything important on disk before you are able to back it up. In
this scenario, it is more likely your laptop will get lost or stolen and you
will wish that the info was non-recoverable by whoever ends up owning your
laptop.

------
gargravarr
I also set up FileVault on my Mac, which I don't particularly like because it
uses my login password to encrypt the hard drive.

I run Mint on my ThinkPad, and encrypted the hard drive at install-time (which
is LUKS in the background). This means I have a separate password for the OS
and my user data. The boot password is very long (it's a saying that is
memorable to me) so is pretty difficult to brute-force, while my user password
is complex enough for regular use. I also have my user data encrypted. LUKS
can leverage the AES instructions on current-gen CPUs to speed up encrypted
operations to near-native speeds, but even without it, you'll only notice a
slow-down if you're doing heavy IO. My MBP is an old Core 2 Duo and is not
unsable with FDE enabled.

I also used my Yubikey as a second factor for a time - you can hook this into
the LUKS decryption screen to hash the passphrase a second time to generate
the decryption key. While I was at it, I had my Yubikey set up to be required
to log in or unlock the screen. So while there was a backup passphrase to
unlock the hard drive, I couldn't get into my own user account without the
Yubikey. I eventually disabled this because I thought it was overkill, but it
works pretty well.

However, don't forget that encryption ONLY protects data at rest! A laptop in
sleep mode is NOT secure, even with FDE. I always shut down the machine
completely when I'm in a situation I could lose it (e.g. airport security).
Otherwise, the keys are kept in memory, and a determined hacker has ways of
getting to them - look up DMA attacks. Downloading the contents of RAM through
a firewire port is pretty trivial these days.

A final thing to note - none of these methods stop a thief installing their
own OS on your machine. Whilst this means your data is secure, you can make
things a little bit harder for the thief by adding a boot or BIOS password to
prevent them booting from a different medium. There are ways to reset this,
admittedly, but since it won't get in your way (much), add another stumbling
block for your enemy.

~~~
cyphar
> A final thing to note - none of these methods stop a thief installing their
> own OS on your machine. Whilst this means your data is secure, you can make
> things a little bit harder for the thief by adding a boot or BIOS password
> to prevent them booting from a different medium. There are ways to reset
> this, admittedly, but since it won't get in your way (much), add another
> stumbling block for your enemy.

If you use UEFI with secure boot (and your own keys with the windows ones
removed, and an administrative password set up in your firmware) then you're
in theory protected against that attack as well. What's more, openSUSE Just
Works™ with UEFI. I wanted to flash LibreBoot (a CoreBoot distribution that is
free as in freedom) but I'm worried about bricking my laptop (as well as not
being sure about how good Linux's support is for that).

------
brbsix
I use full-disk encryption via LVM on LUKS [0]. I rarely bother with per-user
encrypted home directories since I'm the only user of the device and I don't
leave it on while traveling or unattended.

For external drives and cloud storage I use EncFS via Gnome EncFS Manager [1],
which makes it easy to keep track of and mount "stashes".

[0]: [https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_...](https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_entire_system#LVM_on_LUKS)

[1]: [http://www.libertyzero.com/GEncfsM](http://www.libertyzero.com/GEncfsM)

------
RealityVoid
I don't. I don't even have an account password for my windows machine. I want
whoever has my laptop to have access to my PC so he can use it - in the hope
that I will gather enough information about him and I will track him down to
recover my laptop.

If the pc is fully encrypted, they'll have to erase the HDD and the programs I
installed will be gone along with my chances of ever recovering it. On the
other hand, I adopted the same behavior for my linux laptop and I'm not sure
it's wise, the chances of someone continuing to use it are slim at best.

~~~
dvndvn
I see some merit in your argument. I have a little more take on this.

Leave a password free account and have a password based account also. It
allows the stealer to use computer without hindrance and also protects your
data from casual thieves at workplace.

------
hackney
I own a Motion Computing R12 windows 7 pro tablet. It comes with WinMagic's
SecureDoc Disk Encryption. I have not needed it simply because it is not used
in a corp. work environment nor do I travel a lot. I login with my fingerprint
for simplicities sake. My desktop is also windows 7 pro and both it and my
tablet have just login passswords. I did buy a yubikey nano for my desktop
which I use with password safe for all my logins. For my desktop I would
probably use DiskCryptor. My android phone is encrypted however.

If you do not have tons of sensitive data to hide I see no reason to encrypt
at present.

------
rndstr
I only encrypt the /home dir with dm-crypt running ArchLinux. I did use
TrueCrypt on my previous laptop but at a certain point it was broken and it
seems development ended in 2014.

------
thom
A few years ago we were burgled and one of my laptops was stolen. The process
of revoking keys and changing passwords (on a tiny borrowed netbook, no less)
was painful enough that I would never risk going unencrypted again.

It's an install option on any modern OS, or something transparently enabled in
your BIOS, the only time I notice it is on my Mac where I have to unlock twice
occasionally if it's been asleep.

------
sjmulder
My Windows machines are not encrypted because the home edition they run does
not support BitLocker. Microsoft should reconsider.

Most of my other installations (Mac, Linux, FreeBSD) are encrypted (LVM, ZFS,
etc) or will be soon.

To be honest this only really helps against casual attackers (lost/stolen
machine) because much of my personal data is in OneDrive which will offer me
no protections against governments or determined individuals.

~~~
gdc
Pro supports bitlocker.

------
creshal
LUKS, combined with suspend to disk. Both on my laptops and the on-prem
homeserver that holds all my personal data.

------
pyprism
I am running Ubuntu, I use eCryptfs [0] to encrypt my home directory and
openssl for other files. [0]
[https://help.ubuntu.com/community/EncryptedHome](https://help.ubuntu.com/community/EncryptedHome)

------
Guest98123
I just use Truecrypt 7.1a, and encrypt the entire drive, so it requires a
password before booting.

~~~
t3ra
Does this affect performance? Esp for things like photoshop?

~~~
Guest98123
I use Photoshop daily, and play some Steam games once in a while. My laptop is
an ultrabook with a SSD. I can't see any impact on performance. If there is an
impact, I'd need to setup benchmarks to identify it.

~~~
t3ra
Oh that sounds cool.. Have u tried any other fork of truecrypt?

------
acd
I run Bitlocker on my Windows 10 machine it causes some issues with
multibooting.

Does anyone have a good multiboot disk encryption setup?

On Linux I sometime use LUKS disk encryption. For adhoc disk container file
disk encryption I use Veracrypt which is the successor of Truecrypt.

~~~
hackney
DiskCryptor
[https://diskcryptor.net/wiki/Main_Page](https://diskcryptor.net/wiki/Main_Page)

Full compatibility with third party boot loaders (LILO, GRUB, etc.).
Encryption of system and bootable partitions with pre-boot authentication.
Option to place boot loader on external media and to authenticate using the
key media. Support for key files. Full support for external storage devices.
Option to create encrypted CD and DVD disks. Full support for encryption of
external USB storage devices. Automatic mounting of disk partitions and
external storage devices. Support for hotkeys and optional command-line
interface (CLI). DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file
systems.

------
andrey_utkin
Partitions for swap and rootfs, both encrypted with LUKS. I carry boot disk on
a USB stick. Decryption key is on bootdisk, too, to avoid typing in the
passphrase every time.

------
pelim
LUKS for my Linux system and Filefault for my Apple

with [http://www.passwordcard.org/](http://www.passwordcard.org/) passwords

------
maxaf
FileVault on Macs and OpenBSD's softraid(4) on non-Macs. Almost every OS these
days has some support for full-disk encryption. Not using it is irresponsible.

------
mveety
I run 9front in my laptop and netboot, so root filesystem is at home and I
boot off that. Only thing on my drive is a bootloader and kernel.

------
Sir_Cmpwn
I use Arch Linux with LUKS for full disk encryption.

------
stakent
Debian with full disk encryption as suggested by installer.

Works.

------
jason_slack
on OS X I use FileVault2. I also have data on encrypted, password protected
disk images. A firmware password on the machine too.

Another thought, what other things could someone do?

check for the existence of a USB stick or SD card plugged into the machine
inorder to actually mount home? Log user into a chroot env and mount nothing
unless a usb stick exists?

------
exodust
No encryption here. For performance reasons I don't want encryption throttling
my laptop CPU, or causing other issues.

I use the standard Windows logon password, but no encryption of drives.

I use keepass for my password encryption, and I bought Kruptos 2 Pro for
whenever I need to encrypt individual files or folders. It works with dropbox,
so I more of less have everything covered without needing to encrypt the whole
thing.

~~~
cyphar
I've never felt performance issues with full disk encryption, and I personally
wouldn't feel safe carrying my laptop if I didn't have it.

~~~
exodust
It's good you haven't "felt" performance issues, but technically there would
be a difference. I just prefer a slick, efficiently powered laptop using only
the power it needs to do work. My laptop has 3 disks - 2 SSD and 1 HDD, that's
too much to encrypt.

------
siffer
Nice try FBI,

I use quantum resistant drive encryption.

------
lossolo
Ubuntu 16.04 with full disk encryption. It's trivial to set, you can do it in
installation phase.

~~~
MTemer
do you lose all your data if the disk suffers from any kind of data
corruption?

or can you somehow still mount, unlock and retrieve the files that weren't
affected?

------
Javadavinci
I am running windows and have it fully encrypted with Bitlocker (AES 256).

