To LUKS or not?

General system EndeavourOS installation
22

You can also lock your drive with the data inside a safe.
If there is the need for that is your personal choice.

If you have data that needs to be secured, you can also use an external drive that is encrypted, and you only open it in case you need the data. Doing backups of it also encrypted…

In case, simply do not save password and access data at all on the computer, use a smart key per example.

Personal, I tend to keep these things as simple as possible.

23

To clarify, when one “unlocks” a LUKS partition, they’re not decrypting the partition, they are only giving the running system decrypted access to it. For example, if I unlock a LUKS volume and then immediately hit the power button without properly shutting down, that LUKS volume is not now un-encrypted. It remains encrypted. I’ll need to unlock it again to access it.

An analogy perhaps.

Let’s say you have a motor-home For example sake, let’s say that it’s highly secure and without a special key, it’s virtually impossible to enter, even with brute force (LUKS encryption). On a shelf within the motor-home is a note with your bank account login details on it (personal data). You can safely assume this information is secured and locked safely within your motor-home, even when away from it.

You use your special key to enter the motor-home with your family (unlock LUKS). Your motor-home still has all its security, that is all still there. The only difference now is you and your family are now inside and interacting with what’s inside (a running system). You and your whole family can see the note on the shelf with the bank account details, and that’s fine, because you can trust your family in your motor-home.

The risk however, is that so long as your family is in the motor-home (a running system), someone might open the door for a guest (possibly malware), inviting them in, completely bypassing the external physical security of the motor-home. Someone could also call your family, and maybe find a way to trick one of the kids to read the secret note with bank details on it (remote exploit).

1 Like
24

Personally, I use LUKS on all systems. I’ve been broken into twice and had valuables stolen. I also unfortunately lost a laptop once. A SurfaceBook I had also died, but these devices do not permit you physical access to the drive to remove and erase it, short of violently busting apart the screen.

I use full system LUKS encryption because:

  • In the event a device is stolen or lost, I can rest assured none of my personal data is compromised. I don’t need to worry what might have been on there.
  • In the event a difficult to service system (like a SurfaceBook) breaks and is unusable, I don’t need to worry about trying to securely wipe any data.
  • In the event I want to wipe a system and give it away or sell, simply formatting the drive is sufficient as any potentially recoverable data had been securely encrypted.

If there is at least one active login in the browser, or one personal piece of data on your system that you would not want to fall into the wrong hands, then that is a strong case to use LUKS encryption.

2 Likes
25

I have personal data, so of course all my disks are LUKS encrypted.

Although my backups are encrypted I additionally have LUKS encrypted all backup disks. The reason is that it could happen I copy anything to my backup disk outside of the normal backup process. In such a case it could not happen that I compromise things.

I have started using LUKS at least in 2010. But it could be it was some years earlier, actually.

1 Like
26

This is about physical access to the device. If somebody gets a hold of your hard disc the LUKS encryption makes a big difference. If it is a burglar or the police confiscates your PC: The data is save with LUKS.

27

Also keep in mind, that encrypting a drive can make it slower in specific work loads or in general. So if you need the best performance your device can give, it may not be helpful to encrypt drives.

Fun fact, I got a new notebook for work (sadly with Windows 11). BitLocker (the encryption method from Windows) was hitting the device so hard, I had to disable it in order to properly use Visual Studio.

28

When you run the cryptsetup benchmark command you can see how fast your PC is able to encrypt/decrypt data.

With kernel 6.12.21 my PC shows this for aes-xts:

#     Algorithm |       Key |      Encryption |      Decryption
        aes-xts        256b      5400.4 MiB/s      5405.3 MiB/s
        aes-xts        512b      5043.2 MiB/s      5030.4 MiB/s

This is much faster than any of the devices I have attached. Therefor my fio benchmark shows that all my bare metal discs (Seagate and Western Digital) are not slowed down by LUKS.

My nvme is slightliy slower with LUKS . But with LUKS it is still reading faster than 3000 MiB/s and writing faster than 1500 MiB/s.

So from my point of view LUKS performance is not an issue.

1 Like
29

That’s why I wrote can and not will :wink: