Encrypt whole hard drive?
Yes.Log in automatically?
Yes.With luks?
That would be the easiest solution, since it’s offered during install with many distros.
TPM or put a keyfile on the boot partition or into the initrd.
This is what I do. As far as I’m concerned, there’s my password and then there’s the one that’s a last “are you sure?” step before I sudo fuck shit up.
With luks?
I know this is a meme, but security is not binary. It is not you either have 100% or 0%, it is always a sliding scale, and usually on the opposite side is convenience.
Encrypting your drive protects against someone stealing your computer or breaning into youe house while the computer is off/locked.
People like to trash people that write down their passwords on a post-it note and keep next to their computer. It is not ideal, but having a somewhat complex password written down protects a lot more against attacks over the internet than having “password”. However, if others have physical access to the note then it is obviously very bad. Like for example in an office.
I don’t like how writing down passwords on notes has been heavily criminalized. Obviously it’s a security risk, but so is having a simple password that isn’t written down anywhere. In fact, the latter is often more dangerous, depending on the specific environment. Just make sure the note isn’t easily accessible and you’re good.
Yes. Writting down a complex password helps against most attacks, except one where the bad guy has physical access to your note. Based on the normal users use case that is probably a very good trade off. Most hacks are done over the internet without access to your note.
Ideally everyone should use a password manager, but that is highly unlikely any time soon.
One has to find the right balance between security and comfort, and this entirely depends on the threat model one has. Nowadays, I will always enable full-disk encryption on all of my devices, even if I then decide to store the keys in TPM and unlock the disk at boot.
I have at least 5 half-broken HDDs sitting around, completely unencrypted, I have no idea if they still work, but they are surely full of private data that I would like to have purged. I fear mechanical destruction might be the only solution for some of them, but just wiping them manually is more effort than doing nothing, so I guess they will still be around for some time. And with SSDs, there is no reliableway delete all data.
With encryption? Just delete the key and you are done.
The threat model changes in the future? Easy, the data is already encrypted.
I have been trying to understand what it is that makes it impossible to reliably wipe an SSD, compared to an HDD. Why wouldn’t filling the drive with 0s work?
@Logical @shadowtofu
The SSD controller does not overwrite the old physical location (unlike HDD).It writes the new data to a different physical block.
The old block becomes “stale” but still contains your original data until the SSD decides to erase it later.
But if I fill a drive with nonsense data, whether SSD or HDD, shouldn’t it be forced to write such data to all possible locations, thus overwriting the original data? Is am I misunderstanding something more fundamental about how this type of storage works?
@Logical Filling an SSD with zeros only affects the logical address space visible to your OS—it doesn’t force the controller to erase every physical block. The old data remains in unmapped or retired areas until (or unless) the controller decides to erase it later, potentially allowing recovery with specialized tools. Some SSDs might even optimize by not physically writing zeros if they detect a full block of them, simply marking the space as erased without touching the hardware.
See what I’m still not getting though, is how there can still be unmapped or retired areas, if the drive has been filled with (meaningless) data? Let’s say it isn’t all zeros, but random data instead. Are there more physical blocks than is represented logically by the adress space exposed to the OS?
My favorite is KDE asking for user password upon waking from sleep even if you have autologin enabled.
So, all you have to do to circumvent the login window is to reboot.
yeah I also have this enabled. With disc encryption that you have to enter on reboot, it makes sense
Well, I suppose it protects your session
Fair enough
Depends on your threat model. If you are defending against people stealing your hard drive and reading your data, then this is perfectly fine.
I wish I could set it to auto-login to a Lock Screen so all my preferred stuff starts up and is ready when I get there, but my computer is still locked against anyone trying to steal it and get easy access to it
You can probably make your DE login in automatically, load the stuff, then log out
I don’t really bother encrypting my personal PC, there’s just not much on there at all that I even store. My server is definitely LUKS encrypted, but it’s a lot of effort for a very specific attack vector that I don’t anticipate. There’s things I’d be much more concerned about a burglar stealing than a storage device.
I don’t log in automatically, but I do let my session login hold my password manager vault open.
Me logging in automatically but having my lockscreen autostart when my window manager starts (i just do it because it makes the login transition smoother compared to a display manager, and i’m the only person who uses my pc anyway).
Heh, I have done just this for a friend of the family on Linux mint Debian edition.
It works out alright but I always feel weird setting it up.I had made a little mistake after attempting to try out the experimental Cinnamon Wayland desktop on said machine & failed.
… Then boot looped … Because autologin was setup.
Tiny bit embarrassing. Oops. Better keep backup minimal CLI Linux installs to repair/restore on seperate partition but seperate drives are best.
I have auto login too, but also full disk encryption + using my user password to unlock it the once the puter is locked (after a time, on sleep, manual lock, etc).
There is an element to security that has to work with your human side too. So entering two passwords in a row is something my brainhole can do without + the scenarios where that could be exploited are slim.
