this post was submitted on 12 Oct 2025
32 points (94.4% liked)

Privacy

2729 readers
220 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
32
Encrypt your Linux with LUKS, like seriously. (lemdro.id)
submitted 5 days ago* (last edited 5 days ago) by cm0002@lemdro.id to c/privacy@programming.dev
6 comments fedilink hide all child comments
 

This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.

I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.

If your computer isn't encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login

Benefits of Using LUKS with GRUB Enhanced Security

  • Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
  • Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.

Compatibility with GRUB

  • Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
  • Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.

OC by @lunatique@lemmy.ml

top 6 comments
sorted by: hot top controversial new old
[–] rune 8 points 5 days ago

I'd even recommend encryption for non-laptops, it's less about IF they get stolen and more about WHEN the hard disk fails, you don't need to worry about all of your personal data being immediately available to anyone who plugs in your failed disk (whether RMA'd or electronics disposal). Before diaposal, if you can, run cryptserup erase to scrub the encryption keys.

[–] exupulosion@sh.itjust.works 7 points 5 days ago (1 children)

The OG poster (lemmy.ml so whatever) forgot to mention that backups and system recovery are a nightmare if anything goes wrong with the kernel, bootloader or both. Encrypt your home partition and swap, it's easier and who cares about what packages you have installed system-wide. If you got NSA on your ass you're cooked anyway. Encrypting non-system drives is more bearable

[–] fruitcantfly@programming.dev 7 points 5 days ago (1 children)

What makes recovery and backup a nightmare to you?

I've been running full-disk encryption for many years at this point, and recovery in case of problems with the kernel, bootloader, or anything else that renders my system inoperable, is the same as before I started using full-disk encryption:

I boot up a live-CD and then fix the problem. The only added step is unlocking my encrypted drive(s), but these days that typically just involves clicking on the drive in the file manager, and then entering my password. I don't even have to drop into console for that.

I am also not sure why backups would be any different. Are you using something that images entire devices?

[–] exupulosion@sh.itjust.works 0 points 4 days ago (1 children)

Read about btrfs issues people had on kernel version 6.15.4 - you'd be amazed. Some found a fix, some gave up. I don't think it's worth the risk

[–] fruitcantfly@programming.dev 1 points 4 days ago

That bug does sound bad, but it is not clear to me how a BTRFS specific bug relates to it supposedly being more difficult to recover (or backup) when using whole-disk encryption with LUKS. It seems like an entirely orthogonal issue to me

[–] Azenis@lemmy.world 1 points 5 days ago

I wanna encrypt my BTRFS system, but not the FAT32 boot part. Only the Linux kernels are on FAT32 anyway, and I don’t care about encrypting those — they’re public stuff, not private files. I just let limine-entry-tool hash them to make sure they’re clean for booting, that’s totally fine for me.

I don’t like putting kernels on the Linux filesystem for GRUB — it just makes booting slower and causes random issues.