Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you encrypt your laptops?
78 points by codegeek on May 24, 2016 | hide | past | favorite | 151 comments
Read this story about lost macbook pro [0], I am wondering about the encryption tools for laptops. Even though a lot of work we do these days is on cloud (github/bitbucket/gitlab, dropbox etc), I still would hate to lose my laptop specially if unencrypted

[0] https://news.ycombinator.com/item?id=11759741




I'm running Debian, so I have LUKS full-disk encryption running; I consider it a sine qua non of running a personal computer.

I wish it were a bit easier to enable per-user encrypted home directories as well (yes, layered: CPUs are fast, and security is worth the cost), but … I'm lazy.


For others:

    Sine qua non is an indispensable and essential action, condition, or ingredient. It was originally a Latin legal term for "[a condition] without which it could not be", or "but for..." or "without which [there is] nothing".


If a phrase is so foreign that you feel the need to italicize it, don't use it.


On the other hand, it's quite nice to be on Hacker News where someone will post the definition :) ... now I know what that phrase means when I hear it in another context.


Nah, it's just the standard HN-ian modus operandi of misusing Latin phrases like a priori which doesn't actually mean "prior" or "prior knowledge" despite the incessant use here on this site.

How else would I attempt to appear superior? :^)


Except he used it correctly here, didn't he? He could have said condicio sine qua non but my understanding is that either would be accepted usage.


A relevant documentary on the importance of proper Latin grammar and usage:

https://www.youtube.com/watch?v=IIAdHEwiAy8


If f is a function with the domain of thoughts and the codomain of the words used, f is almost never injective.

You can't always know the thoughts based solely on the words. There's almost never a one-to-one mapping. You can't always read minds.

Think about it like this: I understand that it might be perceived by some English speakers as "sophistication" (more on that later), but for a lot of others who speak other languages, there is absolutely no pretense of sophistication in using latin expressions for this is both how we have always talked and what we picked up along the way in life.

Expressions such as "a priori", "grosso modo", "primo/secundo/tertio/quarto", "sine qua non", "ad nauseam", "a fortiori", "a contrario", "status quo", "de facto/de jure", are very common in colloquial French.

Others, for example: "quod erat demonstrandum", "reductio ad absurdum", and some of the aforementioned mostly were picked up inmaths classes/books.

I learned most of this stuff as a child because people just talked like that around me. Do I have to appologize because someone thinks I'm doing it to appear superior? That's similar to some people who think someone is arrogant just because he's good looking. Doesn't this feeling tell them more about themselves than about the hypothetical arrogance/sophistication attempt?

Think of it another way: If I work in the sun and get a tan, why on earth would you assume that my tan is pretentious? Seems silly to connect the two, right? But they were connected in the past: the expression blue blood, after all, that is used to describe nobility came from the fact they were so pale their veins we apparent, contrary to the peasants who had to work in the sun and were tanned..

What used to indicate "low-birth" now has become attractive. We're funny that way.

To get back to what I said, this is not unique to English speaking people. I was raised with two languages home + one street language + one school language. Other children from poor families (one street language + one school language) preceived this as a sophistication attempt because they perceived me as someone coming from means. I wasn't. They associated speaking that language with wealth; I didn't. It didn't even cross my mind.

Then again, it's not even about wealth: they didn't mind someone like them (farmer) having money.. but they loathed people they considered "fancy" (for them, educated meant fancy).

Some people here have this stereotype (the correlation is that they're mostly people from poor neighborhoods) because they don't understand basic logic: "A implies B" doesn't mean "B implies A". They think "People from wealthy fancy families speak French", so they go the other way around and say "People who speak French come from wealthy fancy families".

But then again, it's not about latin phrases, wealth, or french, for some people in France would consider someone speaking in English as attempting to appear superior. And it's not even about France for some people in Egypt think people who speak English try to seem superior. How 'bout that! You wouldn't consider English fancy, would you?. But a lot of people around the world do.

What's the conclusion? The conclusion is that this isn't about the other, it's about us and our thought processes, our insecurities and assumptions.

The conclusion is that if you perceive what someone says to be an attempt to be sophisticated, maybe you can start with an assumption check: can you for a fact read minds? Does your assumption tell you something about yourself more than it does about the other? It does.

I'm not being judgemental, I just find the way we think fascinating. I spend a lot of time trying do destroy my own arguments and prove myself to know nothing. I also play pool against myself, keep score, and laugh at myself when I botch a shot.


I contend that 'sine qua non' was the mot juste in that situation.


I contend that most Leute would find it untragbar for you to pepper your Schrift with Wörtern from any random Fremdsprache. But somehow it's considered acceptable if the Fremdsprache in question is French or Latin.


I don't understand...

If you've got the requisite ecryptfs packages installed, you can just run something like: "adduser --encrypt-home newusername" and there you go. It works on top of any filesystem, because it encrypts on a per-file basis.


Yeah, but (last time I installed) that wasn't an option at install time.


Ubuntu has that as an install-time feature, but then Ubuntu is definitely not Debian.

Then again, Debian isn't really either given the systemd fiasco that is Jessie.

How has that whole debacle impacted you? I still have several squeeze(or whatever oldstable / jessie-1 is) boxes that I'm loathe to upgrade, and considering just biting the bullet and switching to either Ubuntu, which has a more mature systemd seutp, or some other distro entirely (OpenSUSE seems to be the place to be when it comes to bleeding edge secure rolling releases), but the familiarity I have for Debian continues to make that difficult to make the leap.


Can you write more about systemd fiasco in Jessie?

I've very reluctantly upgraded to Jessie with systemd few months ago and, to my surprise, it simply works.

Cursory googling returned entries from 1-2 years ago, so my google fu is not sufficient.


Actually, I don't mind systemd anymore. I hate the philosophy and attitude of the maintainer, but I haven't had any operational problems using systemd. It works, and it works pretty well. I just hate that I had no choice.


So then just don't create your main user account at install time. I'm usually creating an 'admin' user at that point anyway.

The main thing to watch out for is to add new users appropriately to some system groups like sudo, cdrom, audio and such.


> I'm usually creating an 'admin' user at that point anyway.

Why create an admin user when root already exists?


It is handy, if you are setting up the system for someone else.

You can always delete the user account you created at install time too, after you have set up the root account with a password.


May I ask a hypothetical?

If you were stopped at a border crossing and asked to unlock your drive for inspection, would you do so?


If you were stopped at a border crossing and asked to unlock your drive for inspection, would you do so?

It's not necessary to cross a border anymore with anything "interesting" on your laptop.

Just push everything of value to the cloud before crossing. Carry a USB drive with an OS on it. Format your laptop before crossing. Let them have fun "inspecting". Oh, and I'd advise doing something like

   dd if=/dev/zero of=/dev/rdiskX bs=1m
before loading the clean OS. That way there's nothing of value on the drive even if forensic tools are used to look for previous data.

Or maybe just use a Chromebook. They can't force you to unlock access to any cloud accounts, can they? Certainly not as a pre-condition for crossing a border? With a court order, yes, but then you definitely need to get an attorney involved to protect you.


The fly in that ointment is that govts tend to have these deniable 'deals' with these major cloud providers. So make sure whatever you push is encrypted well.


Usually you don't have any right to enter a country, unless you're a citizen.

So they can make unlocking any of your accounts a prerequisite for entering.


No. I'd be calling my company's lawyer to obtain their counsel first. Its not up to me to disclose information I dont own to BPS.


I use the standard hardware encryption of my SSD (a Samsung 830 in my 2012-era Dell XPS 13), which requires I enter the passphrase when I turn my machine on.

Advantages:

  - OS neutral
  - Seemingly as fast as running 'unencrypted' 
    (I assume performance is identical, the only
    difference being the passphrase is stored in
    my head rather than the BIOS)
Disadvantages:

  - Limited to an 8-char (!) ASCII passphrase
  - I've no idea how secure it really is
  - Can't audit the algorithm (not that I have
    the technical ability to)


That sounds like an annoyance, not encryption to me.


It's the 8-char password that I find absurd - that would take about 2 hours to brute force max.


I think hdd will wipe itself after N incorrect attempts.


So you copy the drive first.


Encryption is done in drive hardware, so copying the drive is possible via hardware attacks but would be a pretty involved lab operation. Would definitely take longer and require more sophistication than many in-practice crypto exploits.


Allegedly it's 256-bit AES and would take thousands of years to brute force. (Allegedly, because of course there's no way for me to easily verify!)


a 256-bit AES key might take eternity, but if it's derived directly from 8-char ASCII the search space is tiny. Somewhat does depend on how it's actually implemented in hardware, however.


Hopefully not like this: http://www.h-online.com/security/features/Enclosed-but-not-e...

That drive claimed 128 bit AES, but they botched it.


Or even better, the key is determined randomly, and the 8 char password decrypts the key.


The 8 char password does not decrypt the key; it unlocks/retrieves it. The drive will only allow a fixed number of attempts. Once past the 10 or whatever allowed attempts, an attacker needs to brute force the full encryption key. It should be a very similar scheme to what you get with a modern smartphone, such as a new iPhone. (Not one of the older iphones the FBI cracked recently, a new one with a Secure Enclave.)


What stops the attacker from just imaging the drive in its encrypted state and continuing to run attacks on the 8 char password well in excess of 10 attempts?


The drive controller does not allow you to read the encrypted form of the data out. This kind of drive-encryption is the same as the common ATA lock command (implemented in your BIOS and the drive controller), but the drive controller actually encrypts the data as well as just refusing to work without being unlocked first.


This relates to my "does depend on how it's actually implemented in hardware, however." comment.

This can be implemented in secure hardware (and without getting into attacks against that), you can make a password attempt, but can't modify the counter which tracks how many incorrect attempts have been made. Sufficient incorrect attempts will see the key material destroyed.


On Thinkpads at least it can be much longer.


It does actually encrypt your data, and if it's correctly implemented, it's fine. Those drives sell for a few years now and not a single exploit is known.

For most people this is more than enough.


You're correct, it's not going to stop someone who knows exactly what they're doing and has the time/patience/tools to brute force. But it is enough to stop casual thieves from stealing more than just hardware, which is (fortunately) my main concern.


Generally as you increase security you will lose usability and vice versa. It's about weighing the advantages against the disadvantages.


It reminds me of how I set a boot password in the BIOS on my HP laptop. I now have forgot the admin password in order to remove that "feature". I have no idea how I can fix it. The laptop is bricked. I can't install Linux on it because it is set not to boot from USB or CD/ROM


> I have no idea how I can fix it.

Just disconnect the CMOS batteries; you can find tutorials online. Or you can take it to a computer shop, it should be a simple fix.


Where are those located?


The grey coin-sized CMOS battery is alongside the motherboard.

I suggest you look at the many guides and videos, just search "removing BIOS password".


That will work for sure? I'd have to really start taking things apart.


Not for sure. That trick is kinda old.

I had a Pentium III based HP laptop that stored the password on a chip that didn't require a battery to evade such a trick. The only fix was using the backdoor password that could be generated by using the serial number of the laptop (HP required proof of ownership, but I had dumpster dived this from their offices). The backdoor password was retrieved by wiring 50 USD to a fellow in the czech republic who had the keygen tool HP support would use.


Check HP for the service manual for your laptop. This is generally a standard goal the manual will give steps for. Usually all you need is a screwdriver of the right size and a bit of guts to pull apart bits of plastic, though I find my confidence that I'm not destroying anything is greatly enhanced when I'm following the manual and have reasonable confidence all the screws are out properly.


Almost certainly yes. I have taken apart many laptops, it's usually not more than 5 minutes reading a guide/video and another 5-10 minutes of work.


I had the same issue with a second hand HP laptop. However, I could still log in as administrator on the Windows install, enabling me to dump the flash memory used to store the BIOS firmware and configuration, which included the password hash. Some reverse engineering later, and I was able to brute force the hash successfully. So that could be an option if the password is not stored in battery-backed memory, and you have a bit of time on your hands to get stuck into the BIOS internals.


What's the model number of the laptop?


Not exactly sure because I don't have the laptop on me. Do you have model specific advice I should know about?


Macbook Pro running El Capitan. The firmware is password locked so no one can change the boot disk, the SSD, Samsung 840 Pro, is encrypted with FileVault2.

I also have guest access enableD to entice the unauthorised user to login and connect to the internet. Where I can lock or nuke the laptop using iCloud.

One thing I missed about the old OpenFirmware Macs was that you could personalise a message into the firmware boot screen like, "Call me: +1 305 555 222 for a reward!" The current FileVault login page has no such option.


> One thing I missed about the old OpenFirmware Macs was that you could personalise a message into the firmware boot screen like, "Call me: +1 305 555 222 for a reward!" The current FileVault login page has no such option.

Although not quite the boot screen, you can set a message on the user login screen, from System Preferences -> Security & Privacy -> Show a message when the screen is locked.

Also of course set it to require password after 1 minute or less after going to sleep (and going to sleep after a reasonable period of inactivity; I have mine set to 5 minutes) and disable automatic login.


So is the guest user only for when you leave the machine powered on? Just seems like the firmware password conflicts with the idea of the guest account.

I have gone back and forth on whether or not to enable the guest user. On one hand, it feels like giving an attacker another potential entry point to escalate privileges.


"The firmware is password locked" - how did you enable this?



how is an Apple service provider able to bypass this? if they can, so can an adversary, no?


Whats this guest access enableD you speak of? Sounds useful


System Preferences > Users & Groups > Guest User > Allow guests to log onto this computer

"If FileVault is turned on guest users can only access Safari."


Okay thanks. I always have file vault on so guess I already have this one


I use Mac OS X FileVault2, with a firmware password. It's incredibly easy to set up and should be good enough to protect my data from the majority of thieves.

Coupled with encrypted Time Machine backups and Arq[0] I feel relatively ok about losing my machine.

[0] https://www.arqbackup.com


Just so you're aware, the firmware password on a Mac can easily be bypassed by anyone with an SPI writer. [1] Using a teensy and a chip clip, someone can clear the password or bypass the password check completely.

So, it will keep the honest out, but for someone who knows what they're doing, it will only prove a mild inconvenience.

This obviously doesn't help them bypass FDE, but in case they want to steal the laptop and not have a brick, the SPI writer works a treat.

[1] https://trmm.net/SPI_flash


FDE is not supposed to be an anti-stealing mechanism anyway.

Besides any potential thief wont even know whether you're running FDE or not on the laptop they steal, or whether it would be bricked or not. They can always sell it for its parts (screen, etc) anyway.


It actually is a mechanism to reduce impact of theft. Someone with access to your computing hardware might modify it to subvert the system, read keystrokes, decrypt drive, leak it, and so on. This can be as simple as Customs installing something as you leave the country during an "inspection" then reading keys right off when you come back. Not saying it happens so much as a concern we had during a brainstorm. Or someone plugging in an attack tool into your Firewire port while you take a piss at Starbucks. Or you plug in USB drive they dropped with a radio and attack kit in its connector.

Whereas, if someone straight-up steals it, they have no chance of recovering data if the encryption is strong and key isn't in memory (eg cold boot). You can also transmit media through untrusted channels that way. Even NSA's Inline Media Encryptor, which my inspired my designs, has that use case.


>It actually is a mechanism to reduce impact of theft.

Sure, but that's different from anti-stealing (and I mean stealing the machine of course, not the data).


I did not know that, but at least they can't get my data. The machine is costly, but my work is much more so!


I use FileVault too on the laptop and it's fine. On the desktop it bogles the Blutooth (el capitan) and related devices (keyboard/mouse) which is VERY annoying.


Thx. I am a relatively new Mac user and didn't realize this existed. Will try this. Any weird issues or edge cases to consider before turning this on ?


Yes. FileVault is awesome, but if your encrypted filesystem ever gets corrupted (which can and does happen), your encrypted data is useless and your volume is toast until it's wiped and re-imaged. Surprisingly I have never had this happen, but more than one friend has reported losing their data due to FS corruption with FileVault enabled. I suppose it can be mitigated with a solid Time Machine/backup routine.


Yep, happened to me and I've never used FileVault again.

I had a TimeMachine backup too but hadn't synced recently and ended up doing a bunch of hackery to recover the un-synced data :(

I much prefer 2FA & revocable certificates on remote accounts so I'm not worried about unauthorized access, and anything else important is encrypted independently.


I have used FileVault since it was released many many years ago. In the beginning there was a fairly severe performance penalty, but it's solid now. I highly recommend using it. On an SSD, at least, but spinning disks + FileVault is border line unusable IMO.


+1 for Arq


"I feel relatively ok about losing my machine." Does that mean you'd feel enthusiastic about donating it? :)


I don't have any files on my personal laptop.

I have a USB key or two on my key-ring, and in theory I have an external hard-drive although currently I don't use it.

I keep code on a VM and GitHub.

In general I don't really have anything I can't lose or have made public. Instead of looking at my laptop as a thing I have to protect I look at it as a thing that will inevitably be lost, damaged or replaced.


What about session tokens to cloud services you likely use?


My primary accounts are not left logged in. I don't let my browser auto-fill passwords. Github for example has two-factor enabled. I somewhat regularly clean my browser data.

If a nation-state wants to "get me", they will. In fact most of us would probably not be able to withstand a targeted attack by a skilled or simply motivated attacker.

I don't expect my hard-drive being encrypted would save me in court. I probably wouldn't ultimately withstand a prolonged beating in defense of it either.

It all comes down to whether your juice is worth the squeeze. I have very little juice (on display), and I don't give anyone much reason to suspect there's more juice out there.


There are a lot of low-hanging fruit forensic techniques that would allow for recovery of data that was once on the device and you now think to be gone, like session tokens and cookies. One of the major reasons to use full-drive encryption is so that these forensic artifacts will be encrypted in addition to the files you still actually keep around. This is also why you should enable full-disk encryption at the very beginning, OR wait while the entire drive is rewritten when you enable it.


- Bitlocker on my Windows 10 Pro laptop (because I'm more concerned about an everyday thief prying open my laptop than a government agent)

- ChromeOS built-in encryption/LUKS FDE on the Fedora partition on my Chromebook

I should probably encrypt my Android phone and tablet, but I had a bad experience with performance overhead when I encrypted my last phone.


Depending on which version of Android you're running, you may be pleasantly surprised. Manually encrypted an HTC One m9 (Lollipop) and found no noticeable performance decrement, and now with it enabled by default in Marshmallow it's unnoticeable.


The main annoyance with full-disk encryption on Android is that it disables several handy features of the lock screen, such as being able to take a photo directly from the lock screen.


I just checked that on three devices and I am certain that this is a problem unconnected to encyption. Not sure how, but you might be able to solve this somehow.


I have the same setup: bitlocker for Windows 10 and LUKS for Fedora. I have also enabled secure boot and it works fine with both OS'.


I dont think it is even possible to hide it from government


Yup, encrypt every time.

Otherwise, they may be able to snag your SSH RSA keys off of the hard drive, and if you've password protected it, they can try to brute force it.

Also, it helps safeguard against border patrol wanting to access your data while traveling.


Store your keys on a hardware token to reduce the chances of this happening (Nitrokey, Yubikey, OpenPGP smart card, etc.)


They'd backdoor your machine instead. Same result.


Same result? With something like a Yubikey you can't (excepting any vulnerabilities) extract the private key data even with the admin PIN codes. Based on your PIN caching preferences an attacker may be able to sign/encrypt/decrypt data with your keys (suggest setting force PIN for sign and low TTL for pin caching in gpg-agent) but they won't be able to exfiltrate your private keys.


the way I read about Yubikey is that it is for websites, accounts, etc. Can you use it to log into your actual OS?


The Yubikey NEO (and the 4, but the 4 is more closed-source than the NEO) is basically a Javacard smartcard with OpenPGP and PIV (x.509) applets with standard interfaces. I have my GPG auth/sign/encrypt subkeys on it (master/certification key stays offline), and with gpg-agent it will present your GPG auth key as SSH credentials.

There are Yubikey-specific PAM modules you can use as a second factor for logging in locally, and there are probably ways to use standard smartcard authentication for login purposes as well but I don't have experience with that. I mainly use it for remote SSH login purposes.


You can. The Yubikey can store a hash value in its second slot to act as a hardware token. I used to use mine with PAM so I couldn't get into my user account without it: https://developers.yubico.com/yubico-pam/


Yes, with a bit of setup and depending on your OS.

My problem with hardware tokens is simply that I lose them.


I keep mine on my car keys. Problem solved.


Then you (inevitably, Murphy's ...) lose your car keys. Now you have two problems. :p


Or stow a backup of your (yubikey) hardware in an encrypted (hopefully, zero-knowledge based) cloud service and restore when lost.


They can still bruteforce your disk.


They can still bruteforce you.



So, the dawn of SSDs has made hibernation and sleep redundant. I use FDE for my SSD (luks, and whatever good defaults ubuntu gives me).

As for the cloud, I store nothing sensitive on there. I used truecrypt, but now I find VeraCrypt easier to use and install. I lost my last installer of truecrypt, and I don't trust the ones floating around.

VeraCrypt hasn't been audited yet. This is a bad thing :)


Downloads: https://github.com/jrruethe/truecrypt

Verify the GPG key fingerprint and hashes: https://news.ycombinator.com/item?id=7812905


I have been looking for any sort of software review of VeraCrypt or suggestions by security experts that they use and recommend VeraCrypt. I want something more than unknown people in forums saying they use it.


Well then, use something battle tested like cryptsetup then. It is not as nice though.


I assume he's looking for an open-source option for Microsoft Windows. OSX and Linux is largely "solved". The Microsoft stack is less so after TrueCrypt's downfall.


For Mac, FileVault2. For Debian, LUKS full-disk.

It's tangential, but while on the topic of securing lost laptops, you should also password-protect GRUB and BIOS. Ideally, all three will use different passwords that are relatively long. Properly securing these elements in addition to having full-disk encryption will make your lost laptop useless to the would-be thieves.


I use FileVault on my MacBook and LUKS on my Debian machine. The only thing I really can't afford to lose is photos and art (backedup to Google Drive and and an external hard drive), and SSH/GPG/etc. keys which are backed up to USBs. I could lose most of my hardware and be ok.


I find it interesting that nobody yet has mentioned TCG Opal with any of the latest popular consumer self-encrypting SSDs such as the Samsung EVOs and PROs.

You get full speed disk access and SSD friendly encryption (the disk is always encrypted anyways) and a relatively elegant way to install an unencrypted boot loader (PBA) that prompts you for your password.

There's a great open source Linux-based system for managing all of this (see my writeup https://vxlabs.com/2015/02/11/use-the-hardware-based-full-di... ) and I hear recent windows has built in support.


I use the Mac Disk Utility to create an encrypted volume. I use that volume to store sensitive files. Its just one file so its fairly easy to back up in its encrypted form.

The main hassle is I have to open the drive and enter the password before using. But its used infrequently.


This is my method as well. +1


LVM on top of dm-crypt with LUKS. Both swap and my btrfs root partition are in the LUKS volume. While that works fine, I wish it wasn't necessary to use LVM. Once btrfs supports encrypted drives, I'll be closer to not needing raw LUKS or LVM (hopefully btrfs would just use the dm-crypt kernel APIs). But encrypted swap is very important (your encryption key or other sensitive data could end up on a decrypted part of your disk after your laptop dies suddenly). So currently I'm SOL if I want to use a swap partition, maybe I should add a loopback device in btrfs that is non-cow?


I originally had the encryption turned on for my macbook I purchased back in 2015. It ran fast enough that I did not mind it.

The thing that ultimately convinced me not to use it was a seasoned apple store employee. He said if something goes wrong and you have it turned on, we cannot recover your data for you.

I am more risk averse, so I went with not encrypting the entire drive.

If I did need some encryption on OSX, I would probably go with creating a directory and using the Disk Utility that is built into OSX to just encrypt that directory.


> He said if something goes wrong and you have it turned on, we cannot recover your data for you.

Contrary to the belief of the person you spoke to, this is a feature of encryption, not a bug. And you are not more risk averse by leaving encryption off, you're taking a bigger risk and assuming that the hardware will fail and you'll lose everything important on disk before you are able to back it up. In this scenario, it is more likely your laptop will get lost or stolen and you will wish that the info was non-recoverable by whoever ends up owning your laptop.


Why not just regularly back up your machine? I wouldn't expect apple store techs to recover my data anyway if I had to bring in a machine for repairs.


I also set up FileVault on my Mac, which I don't particularly like because it uses my login password to encrypt the hard drive.

I run Mint on my ThinkPad, and encrypted the hard drive at install-time (which is LUKS in the background). This means I have a separate password for the OS and my user data. The boot password is very long (it's a saying that is memorable to me) so is pretty difficult to brute-force, while my user password is complex enough for regular use. I also have my user data encrypted. LUKS can leverage the AES instructions on current-gen CPUs to speed up encrypted operations to near-native speeds, but even without it, you'll only notice a slow-down if you're doing heavy IO. My MBP is an old Core 2 Duo and is not unsable with FDE enabled.

I also used my Yubikey as a second factor for a time - you can hook this into the LUKS decryption screen to hash the passphrase a second time to generate the decryption key. While I was at it, I had my Yubikey set up to be required to log in or unlock the screen. So while there was a backup passphrase to unlock the hard drive, I couldn't get into my own user account without the Yubikey. I eventually disabled this because I thought it was overkill, but it works pretty well.

However, don't forget that encryption ONLY protects data at rest! A laptop in sleep mode is NOT secure, even with FDE. I always shut down the machine completely when I'm in a situation I could lose it (e.g. airport security). Otherwise, the keys are kept in memory, and a determined hacker has ways of getting to them - look up DMA attacks. Downloading the contents of RAM through a firewire port is pretty trivial these days.

A final thing to note - none of these methods stop a thief installing their own OS on your machine. Whilst this means your data is secure, you can make things a little bit harder for the thief by adding a boot or BIOS password to prevent them booting from a different medium. There are ways to reset this, admittedly, but since it won't get in your way (much), add another stumbling block for your enemy.


> A final thing to note - none of these methods stop a thief installing their own OS on your machine. Whilst this means your data is secure, you can make things a little bit harder for the thief by adding a boot or BIOS password to prevent them booting from a different medium. There are ways to reset this, admittedly, but since it won't get in your way (much), add another stumbling block for your enemy.

If you use UEFI with secure boot (and your own keys with the windows ones removed, and an administrative password set up in your firmware) then you're in theory protected against that attack as well. What's more, openSUSE Just Works™ with UEFI. I wanted to flash LibreBoot (a CoreBoot distribution that is free as in freedom) but I'm worried about bricking my laptop (as well as not being sure about how good Linux's support is for that).


I use full-disk encryption via LVM on LUKS [0]. I rarely bother with per-user encrypted home directories since I'm the only user of the device and I don't leave it on while traveling or unattended.

For external drives and cloud storage I use EncFS via Gnome EncFS Manager [1], which makes it easy to keep track of and mount "stashes".

[0]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_...

[1]: http://www.libertyzero.com/GEncfsM


I don't. I don't even have an account password for my windows machine. I want whoever has my laptop to have access to my PC so he can use it - in the hope that I will gather enough information about him and I will track him down to recover my laptop.

If the pc is fully encrypted, they'll have to erase the HDD and the programs I installed will be gone along with my chances of ever recovering it. On the other hand, I adopted the same behavior for my linux laptop and I'm not sure it's wise, the chances of someone continuing to use it are slim at best.


I see some merit in your argument. I have a little more take on this.

Leave a password free account and have a password based account also. It allows the stealer to use computer without hindrance and also protects your data from casual thieves at workplace.


I set up my non-techie dad with an ubuntu install, and it has been less tech-support effort on my part.

Give the people a chrome/firefox icon on the desktop, and they'll use linux without knowing the difference.


I own a Motion Computing R12 windows 7 pro tablet. It comes with WinMagic's SecureDoc Disk Encryption. I have not needed it simply because it is not used in a corp. work environment nor do I travel a lot. I login with my fingerprint for simplicities sake. My desktop is also windows 7 pro and both it and my tablet have just login passswords. I did buy a yubikey nano for my desktop which I use with password safe for all my logins. For my desktop I would probably use DiskCryptor. My android phone is encrypted however.

If you do not have tons of sensitive data to hide I see no reason to encrypt at present.


I only encrypt the /home dir with dm-crypt running ArchLinux. I did use TrueCrypt on my previous laptop but at a certain point it was broken and it seems development ended in 2014.


A few years ago we were burgled and one of my laptops was stolen. The process of revoking keys and changing passwords (on a tiny borrowed netbook, no less) was painful enough that I would never risk going unencrypted again.

It's an install option on any modern OS, or something transparently enabled in your BIOS, the only time I notice it is on my Mac where I have to unlock twice occasionally if it's been asleep.


My Windows machines are not encrypted because the home edition they run does not support BitLocker. Microsoft should reconsider.

Most of my other installations (Mac, Linux, FreeBSD) are encrypted (LVM, ZFS, etc) or will be soon.

To be honest this only really helps against casual attackers (lost/stolen machine) because much of my personal data is in OneDrive which will offer me no protections against governments or determined individuals.


Pro supports bitlocker.


LUKS, combined with suspend to disk. Both on my laptops and the on-prem homeserver that holds all my personal data.


I am running Ubuntu, I use eCryptfs [0] to encrypt my home directory and openssl for other files. [0] https://help.ubuntu.com/community/EncryptedHome


I just use Truecrypt 7.1a, and encrypt the entire drive, so it requires a password before booting.


Yes that's what I do too and my external drives are also encrypted with it and use the same password. So one password on start-up mounts those as well and always to the same drive letter.

Having all memory sticks encrypted makes for wonderful peace of mind.


What laptop do you have? Truecrypt doesn't support UEFI which seems to be the only option every laptop has these days.


Samsung Series 9. It's almost three years old now, so that explains the lack of UEFI.


Does this affect performance? Esp for things like photoshop?


I use Photoshop daily, and play some Steam games once in a while. My laptop is an ultrabook with a SSD. I can't see any impact on performance. If there is an impact, I'd need to setup benchmarks to identify it.


Oh that sounds cool.. Have u tried any other fork of truecrypt?


I don't use photoshop, nor can I offer anything other than my perception but I haven't noticed performance being reduced in any way.


As for performance, per DiskCryptor's wiki (windows only): "On the Intel Core 2 Quad Q6600 CPU, data encryption speed amounts to 104 MB/s per core. The maximum speed of reading the data from a single hard disk equals to 80 MB/s so it can work with up to 5 different disks without loss of performance, when using the aforementioned type of processor. In case if your disks are not operating under a constant high load, then it is possible to work with even higher number of disks, and on a weaker system, without losing the performance."

I would assume this is true for all encryption schemes. But, really the most advanced stuff runs on linux based machines, I would proffer.


I run Bitlocker on my Windows 10 machine it causes some issues with multibooting.

Does anyone have a good multiboot disk encryption setup?

On Linux I sometime use LUKS disk encryption. For adhoc disk container file disk encryption I use Veracrypt which is the successor of Truecrypt.


DiskCryptor https://diskcryptor.net/wiki/Main_Page

Full compatibility with third party boot loaders (LILO, GRUB, etc.). Encryption of system and bootable partitions with pre-boot authentication. Option to place boot loader on external media and to authenticate using the key media. Support for key files. Full support for external storage devices. Option to create encrypted CD and DVD disks. Full support for encryption of external USB storage devices. Automatic mounting of disk partitions and external storage devices. Support for hotkeys and optional command-line interface (CLI). DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file systems.


Partitions for swap and rootfs, both encrypted with LUKS. I carry boot disk on a USB stick. Decryption key is on bootdisk, too, to avoid typing in the passphrase every time.


LUKS for my Linux system and Filefault for my Apple

with http://www.passwordcard.org/ passwords


FileVault on Macs and OpenBSD's softraid(4) on non-Macs. Almost every OS these days has some support for full-disk encryption. Not using it is irresponsible.


I run 9front in my laptop and netboot, so root filesystem is at home and I boot off that. Only thing on my drive is a bootloader and kernel.


I use Arch Linux with LUKS for full disk encryption.


Debian with full disk encryption as suggested by installer.

Works.


on OS X I use FileVault2. I also have data on encrypted, password protected disk images. A firmware password on the machine too.

Another thought, what other things could someone do?

check for the existence of a USB stick or SD card plugged into the machine inorder to actually mount home? Log user into a chroot env and mount nothing unless a usb stick exists?


No encryption here. For performance reasons I don't want encryption throttling my laptop CPU, or causing other issues.

I use the standard Windows logon password, but no encryption of drives.

I use keepass for my password encryption, and I bought Kruptos 2 Pro for whenever I need to encrypt individual files or folders. It works with dropbox, so I more of less have everything covered without needing to encrypt the whole thing.


I've never felt performance issues with full disk encryption, and I personally wouldn't feel safe carrying my laptop if I didn't have it.


It's good you haven't "felt" performance issues, but technically there would be a difference. I just prefer a slick, efficiently powered laptop using only the power it needs to do work. My laptop has 3 disks - 2 SSD and 1 HDD, that's too much to encrypt.


We use a boot password + Microsoft bitlocker on our work laptops. We use Syncdocs http://syncdocs.com to encrypt all our Google Drive stuff.

The system works OK, and should keep data safe if a laptop gets stolen. Probably won't help against state actors, though.


Nice try FBI,

I use quantum resistant drive encryption.


Ubuntu 16.04 with full disk encryption. It's trivial to set, you can do it in installation phase.


do you lose all your data if the disk suffers from any kind of data corruption?

or can you somehow still mount, unlock and retrieve the files that weren't affected?


I am running windows and have it fully encrypted with Bitlocker (AES 256).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: