To LUKS or not?

I am on EndeavourOS, KDE, BTRFS, Grub, Snapper, BTRFS Assistant… etc and all working fine.
About security, I have been reading here in the forum about LUKS and understand it will improve the security (and stability hopefully) of the system.

But as I read here in the forum some users reporting some issues with LUKS.

So, I wonder, and ask, is it really worth to try it? Is it problematic? How is it in general, pros, cons.

I will appreciate hearing from the experts here and from users using it and if they had any issues with it? How long? … etc.

I will appreciate your feed back.
I just don’t want to try something that “critical” that may break my system or cause issues.

What does LUKS really offer for security and stability, does it make real “big” difference in security and stability?

stability? encryption will not add that as far as i know.
Issues? it does rarely can cause issues with used tools on updates, and indeed it encrypts partitions and in case of system rescue you need to unlock as an extra step before you can access them.

LUKS encrypts your devices. It helps security in the sense that if your PC / laptop / discs get stolen, nobody can access your data. LUKS does not improve security of a running system.

I am using LUKS on all my devices. I have not experienced any issue at any time. LUKS is very mature.

All luks does is encrypt your data ar rest. This means if someone gets hold of your hard disk, they can’t get the data unless they beat the key phrase out of you with a hammer.

The only signs you’ll see of luks in use is needing to enter a passphrase to unlock grub and then for each disk, unless you have it set up to auto-unlock in which case you will only need the grub password.

The only downside of luks is that if you don’t have a backup and your disk gets errors, your data is lost.

Luks does not affect stability.

Thanks @joekamprad
Does this mean that fixing a broken system will be harder with LUKS?

But what you said @mbod makes me enquire my understanding. As far as I understood, LUKS encrypts even the OS itself, so no malware can affect so this is increased security. Or did I miss it?

Just curious, how long you have been using it?

So, from what you said I understand it is only about the /home folder files, that nobody can read them if laptop stolen and that’s all? It has nothing to do with securing the system itself?

The emphasis is on “running” as long as the containment is open, it’s open and unencrypted, only if the System is powered off completely it is encrypted and closed.

NO. LUKS encrypts disk partitions not The OS itself

I have a few external Drives that have LUKS on them and I have had no issues with them. I’ve don’t however have my system drive encrypted. I see no point for my usage.

I still got a lot to learn, @joekamprad
That is, it is encrypted only if it is switched off. But if booted then nothing is encrypted. What if booted but the users still did not enter his password? Would it remain encrypted, system and data and will only be decrypted when the user enters hos password? Did I get it right?

Thanks @thefrog
This is a good security for my personal data if I backup to an external USB drive. Nobody can read my data. Only me on my machine. Right?

Not your login password, by then it’s already decrypted, That’s done by entering the decryption passphrase at boot. Or by setting it up to use tpm.

yes it will ask for the passphrase on booting the system

Oooops!
This is bad really. This means I have to attach an external USB drive to my laptop to sync my home folder with it all the time! Just in case.

So, Let me summarize my understanding of LUKS.

It only encrypts my personal data in case my laptop gets stolen or sent for repair, they won’t be able to read or get my personal data. If I did it on an external USB drive, only me will have access to it on my system, nobody else. it does not really secure the OS itself from malware.

Am I right?

Just remains one question. Assume I backed up my home folder with LUKS to an external drive, then the laptop or drive on it passed away and I had to do a fresh install on the same machine or on a new machine, using my same previous passwords and settings. Will be able to read the data backed up on this external drive that was crated and saved with LUKS from the other machine?

I back up my home directory once a day. It means there is a potential for some data loss, but it’s minimal.

It only encrypts my personal data in case my laptop gets stolen or sent for repair, they won’t be able to read or get my personal data.

Yes, but most luks setups also encrypt the system disk.

If I did it on an external USB drive, only me will have access to it on my system, nobody else.

Technically, anyone who has the encryption key can unlock it, Usually this is just you.

Will be able to read the data backed up on this external drive that was crated and saved with LUKS from the other machine?

You can read an encrypted drive from any machine as long as you know the passphrase and it has luks installed.

Thanks you all for all your feed back. I really appreciate it.
Thanks a lot.

Try staying away from those things

This is what I am trying to do and why I asked.

My 2 cents is you don’t need it.

This is what I concluded from the discussion. And this is worth more than just 2 cents

If you do not encrypt your disk, physical access to your device is automatically root access. Whether that is a concern for you or not is completely dependent on your personal threat model.

But I understood from the discussion that once the device booted the files won’t be encrypted. So what is the point in having it encrypted while it is off?