Is full disk encryption a meme? Why would you use it with all that extra processing?
>Why would you use it
To prevent an adversary from gaining access to my files.
>all that extra processing?
Moot point, hardware encryption brings the bottleneck back to the storage device.
>Is full disk encryption a meme?
>Why would you use it with all that extra processing?
I don't use it on my desktop. If I had a laptop I would certainly use it as laptops are easy to steal.
>with all that extra processing?
You won't even mention it on ten year old computers. A bigger bottleneck are multi-process applications that do everything thrice, like chrome or lately firefox.
Ok different approach.
Can I use LUKS in this case to encrypt ONLY my linux partition? I don't keep important stuff on windows anyway. It's only for uni since we need to use that shit there.
There isn't any extra processing, that's not how hard drives work. The real downside is that it makes data recovery a bitch, hence I wouldn't recommend it to anybody unless you know you really need it, like mandated by your employer or something.
>tfw you need to type the darn password every time you boot up the machine
>Yeah but I wouldn't call luks real disk encryptioncryptsetup luksFormat /dev/sda
>ti works on the partition level not disk level
LUKS does not care about "partitions" or "disks". It works with block devices.
>and that's trivial to break trough.
I'm still lurking + threadwatcher has this thread. So I won't miss anything here. Thanks for pointing it out.
No tpm support unless you patch it in yourself, hence it needs a /boot partition, hence it works on the partition level, hence it's vulnerable by design to attacks that have been public knowledge since defcon 12.
LUKS does not deal with partitions but with block devices.
There can be a LUKS encrypted machine without any partitions.
The boot loader and initrd is stored on a flash drive that is chained to your body.
And, why the fuck would you ever use a plaintext storage device? Do you want to be able to wipe and/or recycle it? (Remember, SSDs cannot be securely wiped.) Is all of your data public, including your passwords? Of course not.
There is no noticeable overhead, even on fast SSDs, with software encryption, particularly with AES-NI acceleration using xts-plain64 mode.
It's not necessarily the best approach in every scenario. Filesystem level encryption using GCM or another AEAD would be preferable. Bootstrapping, boot integrity, key storage and handling and potential hardware attacks remain potential challenges - and are strictly outside the scope of LUKS, as is any online/remote encryption.
What is the advantage of whole disk encryption vs only encrypting the files i want to hide?
If I want to encrypt my entire disk, is there a way of doing so without completly reinstalling my system?
I use Truecrupt FDE, not Luks.
Luks does not offer hidden FDE, which means if you're ever under attack by FBI/NSA, then they can force you to give up your password, else face contempt of court.
The only way I think you could have plausible deniability while having Luks is if you somehow proved that none of the activity that they have logs on is yours.
basically there is no current way to securely wipe ssd's. a solution exists, but no manufacturer has implemented it yet.
>mfw half the people in this thread are probably doing full disk on fucking ssd's.
shred 10 times a file on your ssd. good luck to restore it.
If some agency have the power to restore the shreded file, then they are likely powerful enough to send you to jail without a valid reason.
>In the meantime, the only sure way to erase the data on an SSD or USB drive requires a very large hammer.
post a source stating ssd's have been 'fixed' then.
If you had to keep going around manually encrypting files, theres a high chance you will screw up and miss one or two potentially important ones.
OSX's FileVault transparently encrypts the main system drive when you turn it on, I guess there must be some similar system available on linux? Who knows.
It's absolutely pointless unless you are a terrorist/professional criminal that lives in stealth.
I'm not even memeing. Normal people will just be held indefinitely until the keys are handed over.
Actually, there IS a lot of performance loss when using full disc encryption without AES-NI.
I put my 850 EVO in a laptop with an AMD chip and the SSD benchmark values were absolutely atrocious.
Now, I'm using the exact same SSD together with an AES-NI capable processor and the values are good.
I encrypted everything on my laptop including /boot.
You have to have my thumb drive to decrypt the boot partition, then decrypt the rest of the drive from there.
Basically without my thumb drive and password the entire system won't do anything and is a complete jumbled mess of encrypted data.