Sure @Archie1 But i will do it a bit later after I finish playing with BTRFS partitions. It seems I will ditch LUKS encryption for any partition. It was a bit problematic (for me). It seems I did something stupid that caused it not to wait till I input the LUKS password for /home, it just after asking for the LUKS password it proceeded instantly asking me for root password and it takes me to another prompt not to a desktop. I am sure I did something wrong. But I will keep trying.
I might look for another way to secure/encrypt my folders and files.
If you have encrypted the entire /home partition then it will encrypt everything, including .cache/.local/.var/.config directories. Any reason why you did this? According to my reading of the situation, encrypting all of these directories may not be optimal. Will it not suffice to encrypt only the documents directory, the pictures and few others in the HOME directory?
Best practice would be to encrypt the entire home partition in this case. There is sensitive data in other places. Especially in ~/.cache, ~/.config and other dot directories.
Well, @Archie1
I generally did not like LUKS as I had some issues. i might have done something wrong. But I remember I saw some apps that can encrypt specific folders and files like ecryptfs. But I still need to read more about it and try it.
As far as I read till now the user can log in while the files/folders are still encrypted, and they won;t even appear that they are there. (you just see the folder) but clicking on it you will see it is empty as it is encrypted. Even if anybody logged in as root, he will still see empty folders.
This is a bit different from LUKS that decrypts /home even before logging in and you canât login before providing the LUKS password.
So it seems for me that ecryptfs fits more what I need. I can send my laptop for service/upgrade, they can get my user name, password, root password even and do whatever they want, but my data remains even invisible.
So, this is what I am after really. We are talking the same language.
I will appreciate enlightening me further, what data are where and if they can be selectively encrypted if it is real sensitive or critical. What data, where, can be encrypted and left encrypted?
This sends me back to a question if LUKS decrypts files to even log in, I understand that it provides protection only against somebody have physical access to my laptop when locked or not logged in. But it wonât protect me in the service center.
If I keep the folders encrypted while I am logged in, even if a hacker can get in he will find nothing, which is not the case if I kept the folders encrypted with ecryptfs
Though LUKS can be fine for an external drive for backup.
The purpose of disk encryption is to protect your device or drive from physical theft or improper disposal. Not to stop remote hackers.
Of course, you can use file encryption to help protect you but this has obvious downsides. You need to protect the keys somehow and you canât use the files while they are encrypted.
Almost nothing can be left encrypted. Basically only your data such as pictures and documents but then you need to decrypt them before you access them. You also lose the ability to index and search them.
Sure, I understand. To make it easy, I am not paranoid.
I will encrypt them only if laptop switched off or logged out (hopefully automatically), so I can send to service center with piece of mind.
The above comments on this.
Normally my passwords are in my head only.
Even at gunpoint they wonât be able to get it because I will be focusing only on survival or escaping
So ecryptfs somehow fits the bill as files will be protected from physical access as you get from LUKS and still can send to service center. (which LUKS wonât be covering me then)
Wonât they be able to do whatever they want, if they have access to your system with your root password and all? Install anything they want without you ever find out, or find out when it is already too late?
One question, do you need to leave your computer with your ârealâ disk to the service? Why not take it out? If they need to run an operating system, they can use a live usb.
Well, as I understood about ecryptfs that if it is encrypted with a different password than the user and root they remain encrypted even with root password.
I am not that paranoid to thing that they will install something to try to find out if I have something hidden and then install something to try to crack the password. Why would they do that much, I am not somebody that rich or have that top secret technology or info that somebody might care about getting it.
It is mainly about âpersonal privacyâ not about really hiding something.
I might not want them to know for example I am investing in the stock exchange, or I have more than one car. It wonât harm me if they even know. It is just about personal privacy. I donât care if they got the books or the music.
I was referring to your system. If you give them your username, password, root password for them to login into your system, even if your sensitive data is invisible to them, they can do whatever they want to your system. Install some malware which will spy on you, or steal your data when you are using your system. That is what I was referring to.
If leaving your computer to service with your data is making you sleepless, take out your disk.
If it is necessary put in another disk with Ubuntu on. Enable secure boot and password protect your BIOS.
If a computer repair center told me they needed my encryption and root passwords to perform some maintenance, I would find a new computer repair center. That sounds like a scam.
Honestly I would not leave any kind of information on a device I had to have serviced. I would in fact make sure that there is not even cache for them to explore. The best way to safeguard your data is to not give it to them in the first place. Even if you think its âsecureâ The right equipment can cut through âsecureâ like a knife through warm butter.
Before sending a laptop to a service centre, there is an expectation that the user has backed up all important data, because hardware replacement and/or reformatting resulting in loss of all data, is entirely possible.
So perhaps looking at it a bit differently. Rather than thinking about it as sending off your data, and therefore attempting to protect that data, think of it as you have a full backup of your data and youâre sending off a fully encrypted and protected system with disposable data.
If the service centre canât work around an encrypted system, as others have suggested, you could switch out the disk, or throw on a temporary un-encrypted vanilla OS of some sort. Iâd only suggest a temporary vanilla OS though, if the disk is normally fully encrypted (no private data can be recovered).
Full system encryption with LUKS requires no concern or fuss about what is and isnât encrypted. Everyday use of it is far simpler than needing to monitor and worry about pockets and places of your drive that are and arenât encrypted.
To clarify on this point, @dalto if the partition is encrypted or certain folders are encrypted by using ecryptsfs then we loose the ability to do a search using the shell/terminal commands like find or grep? Or do a search using Dolphin/Nautlius/KFind/others too? And the files inside the directories will not be indexed too? What about backups using software like clonezilla or timeshift or Kbackup or something similar? Is it possible that will be impacted too?
I am just trying to get a full picture over here. As I am also considering encrypting.
@limotux I had not considered this possibility, i.e. when laptop has to be given to a local service or authorized service center. Thanks
@cactux the suggestion on taking the disk out completely before handing it over to the service center is valid. But how will we deal with situations where disks are soldered to the motherboard? In that case what would still be preferred, selective directory encryption or full partition encryption.
Looking beyond the service centre question, how does one safely dispose of a laptop, which had at some point held sensitive and/or private data?
One could take out the hard drive before disposing of it, and store it securely. That remains a potential liability though. What if the hard drive is soldered to the motherboard?
Some SSDâs support in-device encryption to aid with this issue, allowing one to simply cycle the keys and any data that was on there is essentially locked away behind forgotten encryption. If the SSD doesnât have in-device encryption though, the alternative is something like OS based full-system encryption; LUKS.
LUKS decrypts at boot. This is long before you log in. It protects data when the computer is powered off. If itâs sleeping, hibernating, locked, or on standby, LUKS isnât protecting it.
Again, I am not that paranoid, I am not Bill Gates, Elon Musk, or anybody that people would be really caring to spy on to steel his money or to get top secret technology. Even if they did they will only get some PDF books I downloaded from the internet, some music and some personal photos perhaps. All my passwords, PIN numbers are in my head only.
What I have on my laptop isnât that sensitive or dangerous really. Even if, the passwords and pins are in my head only.
They wontât do it before telling me and before sending it out I will sync it to an encrypted (with ecryptfs) external drive anyway
I believe the best is to encrypt the disk with LUKS or ecryptsfs depending on the case and how will you be getting rid of it.
LUKS is best if you are just disposing the drive only (as @dalto said some other hidden files and folder may contain sensitive data.)
If I am selling it altogether as working laptop I would install a fresh OS, and maybe encrypt it with both LUKS and then ecryptsfs, and I wonât give the user pasword or root password to the buyer to force them to install their own OS again.
What do you mean âdisposingâ do you mean this in terms of getting rid of the device? If disposing a drive the best thing to do is to use dd and have it write zeroâs over the disk. or just taking it out and physically destroying it. Why give anyone a disk that may have held sensitive data?
Honestly why not just charge 30-50 dollars less and have them get their own drive? I mean it would be much less attention to something you hope to get a few bucks from.
