From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
If the device get stolen, your drive and its files can be easily read.
Other attacks like malware or ransomware are almost the same if the drive is encrypted or not.
Disk encryption is important for laptops and phones because these devices are frequently stolen. For desktop or servers is still good idea, though.
Thanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn't possible for me, since I would need a monitor for my headless server.
That's why it's not always an option.
Some servers have some kind remote console hardware, with their own security issues.
Your "threat model" is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak?
Maybe you need to encrypt a directory, and not the whole drive.
My threat model isn't high. Just normal stuff everyone has, but that would be disadvantagely if someone else got them.
It's more if a precautionary measure. It doesn't have to be super safe, but better than nothing.
Is this for your home? If it is, you don't really have to worry about someone stealing your desktop. If someone breaks into your home, they're looking for quick cash and jewelry and TVs. They're not going to bother stealing your server to dig through files for something usable.
I've had quite a bad experience with police for example.
30 cops raided my home because of something trivial (I ordered a bit of non-psychoactive CBD-weed, which is, even in the most restrictive country you can imagine, ridiculous).
Of course, I got the whole experience-pack, including strip searches and confiscating all electronics.
Even though I believe them getting hold of any data wouldn't have changed much, I'm still glad I had my devices encrypted.
Just knowing they didn't see my cringy pictures of my teeny-me, where I discovered Snapchat filters, is a big relief. 😅
Yeah... that traumatized me a bit and maybe that's the reason I'm worrying.
Also, you could never know what will happen in the future. Maybe my GF will turn crazy tomorrow and use those embarrassing pictures against me. Who knows?
I believe everyone should use encryption, even if they don't have much to hide...
You can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
Safe in what context ?
If the drive is mounted and data accessible, in case your computer is compromised by some kind of malware, well, the data will be easy to exfiltrate. Now, if the computer is turned off or the drive unmounted, that's what encryption comes in to protect it.
So, basically, encryption will protect the data in case of physical theft of the drive or in case of remote hacking if the drive is un-mounted.
Safe in the context of someone stealing the hard drive and look through private photos and stuff by plugging the drive into another device.
In that case, without encryption, your safety is zero. That's the exact scenario that full-drive encryption was designed for.
Well... shit. Thank you for your great advice. I'm gonna look for how I can secure my data.
Out of curiosity what sort of safety did you think an unencrypted hard drive had?
I mean no offense and I think it's a perfectly fine question to ask, I just want to understand what you expected.
I had the expection that Linux is already set up as a multi-user environment and has that feature built in.
Of course that "isolation" of data, as I had it in my mind, wouldn't be really secure, but it doesn't have to be that for me. I just don't want anyone to access it easily.
Simplified, there's two layers to data protection, physical and logical. Linux or basically any correctly configured modern operating system provides logical protection, i.e. access under the running OS is only granted to authorized users. Granted you can still put holes in here, e.g. a webserver is misconfigured and allows access to any user to all files it can read. However, from the OS perspective, everything is fine, as the webserver can still only read what it's allowed to.
Data encryption protects data at rest, i.e. when no operating system enforcing the logical protection is running. The case has already been described so I'm not gonna repeat that here.
It's important to understand that in general, these two measures are completely seperate from each other. Device encryption won't help against logical attacks, and logical protection won't help against offline attacks. You need both if you can't rule out an attack vector completely (i.e. your server sits in a secure safe that can't be opened by anyone not authorized to, then encryption might not be necessary).
No poorly not. Just as Windows by default. Systemd-homed is a solution for that but afaik its questionable if its ready. Would be great if Distros like Fedora shipped it by default.
An encrypted system rather than an encrypted user partition is still necessary, because attackers could replace system files or simply add a service that uploads your stuff somewhere, or manipulate sudo, or log your password etc.
Now we all want to know if you have child porn
Wtf, no?!
If I had CP, I wouldn't ask publicly and make myself vulnerable.
I just don't wanna have anyone snooping around my stuff, just as everyone else.
"You must be a criminal if you have curtains"
Community in the text?
Crosspost. Click on it and you'll land on my original post.
I didn't want to duplicate it. You can always suggest me how to make the crosspost more visible, I just did it how my client set it up for me.