4 Reasons Why You Shouldn’t Encrypt Your Linux Partitions

featured lock   4 Reasons Why You Shouldnt Encrypt Your Linux PartitionsPopular Linux distributions make it pretty easy to encrypt your home folder or even entire partitions if you’d like, without many issues. This is a great option to have if you’re someone who needs their data, whether it’s the home folder or entire partitions, that need to be encrypted. In most cases, all you need to do is select a check mark, and it’ll take care of the rest.

But some people select it just because it sounds like a good option to have (and it can be) and they don’t think about what kinds of consequences might result from such a move later on. By now you might be asking, “What? How could encryption possibly be a bad thing?” Well, here’s why.

Recovering Data Is Harder

linux no encryption data recovery   4 Reasons Why You Shouldnt Encrypt Your Linux Partitions

In the event that something in your system has screwed up, whether it be the operating system or some hardware part except the hard drive, you’ll more than likely want to get the data off your hard drive and move it to a more practical place. For data that isn’t encrypted, this can be easily done by running (at the minimum) a Linux LiveCD on any other computer, connect the hard drive to that computer, and then start moving your data. With your data encrypted, it’s not as easy as 1-2-3.

You’ll first have to search for some instructions on how to get past the encryption manually before you can reach your data. I can almost guarantee you that there aren’t any graphical tools that will do this, so people who aren’t comfortable with terminal consoles will have a difficult time.

Did I Mention Recovery Is Harder?

linux no encryption mbr error   4 Reasons Why You Shouldnt Encrypt Your Linux Partitions

Speaking of systems that suddenly screw up, if your entire partition is encrypted you’ll have a harder time running recovery techniques on your system when needed. For example, if your system loses power as it’s installing a newer kernel, and the master boot record or its configuration files become corrupted because of the sudden loss of power, you’ll need to run a recovery disc and enter in commands in the hope that it’ll return to normal.

While recovery alone isn’t the easiest thing to do for Linux novices, doing a recovery on an encrypted Linux system will be even harder, again mainly for the reason that it requires extra steps that cannot be classified as “beginner-friendly”.

Possible Performance Impact

linux no encryption slow performance   4 Reasons Why You Shouldnt Encrypt Your Linux Partitions

Another item to note is that encryption may not be the best performance option for very low-powered devices. I know, plenty of devices today are definitely powerful enough to deal with encryption with negligible performance impact, but once you start looking at netbooks and older low-power devices, the performance margin suddenly decreases.

As netbooks are already slow enough (generally speaking) while running almost any operating system, you’ll want to try and get more performance out of devices like those rather than bog it down with encryption.

Use Something Better

linux no encryption truecrypt   4 Reasons Why You Shouldnt Encrypt Your Linux Partitions

Last but not least, do you really need to encrypt vital system folders or partitions to protect your data? I’m pretty sure that most common users don’t have an entire hard drive full of data they want to encrypt. Instead of using such a large encryption scope, you can much more easily create TrueCrypt containers and place all of your data in there.

This is beneficial in that it only encrypts what you need to encrypt, it doesn’t make recovery-type actions any harder than they already are, and it doesn’t impact your computer’s performance whenever you don’t have the encrypted container mounted. Simply put, encryption is good, and this is the best way to do it.

Conclusion

As always, what you end up doing is completely up to you. If you feel that you need to encrypt your entire home folder or even your whole partition, go ahead as long as you’re aware of what might be facing you on the other side. However, I still recommend that people who are unsure or are new to Linux should keep their stuff unencrypted and only use a TrueCrypt container if they feel encryption would be helpful.

Did you enable encryption on your Linux partitions? If so, is there anything you’d like to add to this article or dispute? Let us know in the comments!

Image Credits: Hard Disk Repair via Shutterstock, mpolla, Waiting To Connect via Shutterstock, Gustavo Gerent

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

63 Comments -

0 votes

Truefire_

I got a laugh out of ‘use something better’ with a screenshot from Vista :)

0 votes

ypslinux

Danny, Please never discourage people from security the computing environment. I would suggest for you to research and advise people how to recovery encrypted filesystem and folders if the primary OS of the computed malfunctioned with encrypted files.

Privacy is a very serious matter and the Enterprise level is even more serious because they are regulations which required system to encrypt data at rest and while in motion. read about PCI/DSS 2.0 which control credit card processing… ypslinux

0 votes

Danny Stieben

ypslinux,

Thanks for your concern, but I didn’t say that they should forget about encryption altogether. I did mention that if they need encryption they should use something else, didn’t I?

Yes, on the Enterprise level things are different, but MUO doesn’t cater very much to the Enterprise crowd, especially this article. This is aimed are regular users who are trying Linux and aren’t sure what to do as far as encryption goes.

0 votes

Danny Stieben

Haha the focus was meant to be on TrueCrypt, but I do see your point. :P

0 votes

Free as in Freedom

If you follow best practices and do regular backups, which can be encrypted themselves, you do not have to worry about these reasons not to encrypt your partitions.

Also, I’d just like to interject for a moment.
What you’re referring to as Linux, is in fact, GNU/Linux, or as I’ve recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called “Linux”, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project. There really is a Linux, and these people are using it, but it is just a part of the system they use.

Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux” distributions are really distributions of GNU/Linux.

0 votes

Dan

Looks like someone drank Stallman’s kool-aid. Unlike you and the FSF, most of us aren’t pedantic about it and we prefer to call it Linux for convenience.

0 votes

gamaral

Sorry Dan, you are not FREE to just call it Linux, you should call it Chrome/DWM/X11/GNU/Linux on Gentoo.

0 votes

Danny Stieben

I agree. I actually haven’t seen anyone calling it GNU/Linux in a while lately.

0 votes

uniwarp

that’s the most irrational chain of thought i have seen in a long time… this goes for both you and all the other people who are posting nonsense replies.

the fact is that linux was built on gnu’s tools, that’s how it got started and that’s how it became popular. now, it’s obvious that you haven’t looked at a snippet of code throughout your life. if it was any other way, you would have realized that without a stable development platform, it will not be easy for any operating system to attract developers, hence users. which is exactly why calling it GNU+Linux is absolutely necessary, to give credit where credit is due.

you people are best off reading a book or two on software engineering and operating system architecture. perhaps, it will help you appreciate the work which was done by the FSF. now, go cry in some other remote part of the internet.

0 votes

Moneybags

What is this? The next generation of Linux snobbery? This kind of nonsense is over 10 years old already–I thought the community had finally grown out of these silly debates. You have absolutely zero knowlege about whether or not a person who posts on this site contributes to projects, understands operating system architecture, etc. Aside from debheads who else insists on calling the OS GNU/Linux these days? No one. You should be just as ashamed of yourself as the first person scolding people on not using your preferred label.

0 votes

Danny Stieben

I actually like door number three, where we just call it by the distribution’s name. It’s not Ubuntu Linux, it’s not Ubuntu GNU/Linux, it’s just Ubuntu. :)

0 votes

epiquestions

really? did it make you feel better that you got that off your chest?

0 votes

Danny Stieben

Through backups, recovery can be easier if you simply restore from the backups in whatever way you wish, but the last two points still apply just as much.

Thanks for lecturing me about Linux and GNU/Linux; I am well aware of that. While your comment may be an interesting read to those who don’t know about it, the majority of users still call it Linux and not GNU/Linux, and we as a site need to use terms that people identify more easily. Linux is, in that case, a better choice for us to use than GNU/Linux.

0 votes

Dan

If you’re installing Linux in a laptop, then I would strongly suggest encrypting the /home folder (and maybe even /swap if you’re paranoid). Data loss is much worse than just losing a physical computer. The thief could gain access to confidential personal data, banking data, passwords, personal medical info, sensitive business and corporate data, “intimate home videos”, etc. On a desktop which can be secured in a home or office, encrypting the entire partition may not be as critical; but a portable device like a laptop it is a must because it is easier to lose, misplace, or be stolen.

My laptop is Win7 but I encrypted the whole drive using Truecrypt. I also have linux installed in my usb drive if I need it, and yes the /home folder is encrypted.

0 votes

Paul

All this is irrelevant if the person doesn’t follow some simple security practices or if the distribution doesn’t secure their system. On Ubuntu based systems, even if you’ve encrypted the home partition, when booting select the Linux in recovery mode, then choose the command line in super user option and one command will change the user password, the unfortunate side effect of Ubuntu trying to make the system more convenient for users by reducing security. Way around it is to encrypt the whole disk or enable the root account with a root password. As for the boot partition becoming corrupted, which is always a risk, make a backup copy of the boot files, this is the easiest solution to deal with this.

0 votes

Danny Stieben

Since passwords can be changed as you stated, that’s why I still believe that using TrueCrypt is better, because if someone does get into your user account by changing the password, they still cannot access the TrueCrypt container.

0 votes

csr

Wrong. Changing the user password from an admin account will not allow access to an encrypted home directory. You cannot change an encryption key without knowing the previous key. If the admin changes the user password, then the encrypted user home will not be mounted when the user logs in with the new password.

0 votes

Danny Stieben

You have a good point. While I still recommend using something else like TrueCrypt for encrypting “regular” data, I understand what you’re saying when it comes to data that is usually stored in hidden folders such as browsing info. However, I see that as the only possible reason to encrypt the home folder as regular data can be encrypted with TrueCrypt and system files shouldn’t have a need to be encrypted.

0 votes

Paul

It depends on how paranoid you are, there is a good reason to encrypt system files to protect against off-line tampering such as the installation of keyloggers or malware. It is definitely something the user has to think about and weigh up all the options. In Linux you also have an option, in most distributions, to create a separate home partition, in which, in theory, all the user settings and options as well as program data “should” be saved, if the software developers write their software as they should. I do agree that even if you don’t choose this option, as in Ubuntu, creating an encrypted home folder will also deal with that issue. @CSR, thank you for correcting my mistake with regards to the password change as I was unable to find any definite information about it. If anybody is interested and using Linux they should check out “CryptKeeper”, which is not cross-platform unfortunately, but it does work very well with cloud storage such as Dropbox.

0 votes

Rob

I’m not completely convinced about the ‘recovery is harder’ argument. The simplest solution is to have a good back up system in place. Period. Whether your system is encrypted or not, you can have data loss with partial or complete drive failure anyway. Yes, you can obviously recover more of your files if the system is not encrypted, but you’ve already lost if you’re trying to recover images and documents off of a corrupted drive anyway. Back it up, simple solution.

The performance point is okay, but still not really good. Phoronix did calculate performance metrics with and without encryption here: http://www.phoronix.com/scan.php?page=article&item=ubuntu_hdd_encrypt&num=1 Generally if you’re hard core about performance, it’s not the hard drive encryption that is going to make or break something, look elsewhere (tmpfs for /tmp or web browser cache, for example). My netbook is over three years old, and runs both XP and Linux just fine with encryption (Truecrypt for XP, dm-crypt for the Linux).

And using a volume specifically for encrypted files works, and I do encourage that. Really the only flaw is people need to readily think about what they do and don’t want in the encrypted volume. Or consider applications that may write things in odd places that should be encrypted. You don’t need to worry about that for full disk encryption.

All in all, props on the article. Though I don’t agree with everything, we all do need to encourage people to think about encryption more.

0 votes

Danny Stieben

Yes, I agree that backup is important. If you simply reinstall the OS and restore from those files, then it should be just fine, I agree. In the article my main focus as far as restoring goes was if some system component started acting funky and causing the system to not boot properly, but I suppose I didn’t put enough emphasis on that.

As for your other two points, you have a good support for what you say. I guess we can conclude that there are always pros and cons for encryption.

Thank you! And yes, I think so too. I didn’t write this in a “I’m an expert, so do what I recommend” manner because A) I’m an enthusiast, not a complete expert, and B) the main reason why I wrote this article was to challenge people and make them think about encryption so that they are more conscious of what they’re doing. And I think that I’m achieving that.

0 votes

Rudi Pittman

You forgot to mention the necessity of running encryption of your home partition on linux laptops to protect your data in the event of theft.

0 votes

Robert Ruedisueli

Anyone who carries around a laptop with unnecessary data on it is crazy IMHO.

0 votes

Rudi Pittman

Some of us actually use our laptops for something besides gaming, web surfing and porn. What’s your definition of unnecessary data? If I keep digital copies of documents I might need while travelling such as medical records, passport info etc it’s hardly unnecessary but I certainly don’t want just anyone having access to the information.

0 votes

Danny Stieben

Thanks Rudi, but that wasn’t the point of the article. Listing reasons why people should use encryption is a whole other topic that requires a separate article or two. Yes, laptops should be more common to have encryption, but my article still applies to make people think about the decision.

0 votes

jackd

“, and the master boot record or its configuration files become corrupted because of the sudden loss of power, you’ll need to run a recovery disc and enter in commands in the hope that it’ll return to normal”

I may be missing something, but MBR and “boot” partition would never be encrypted, so I don’t understand how having some (other) partition(s) or directories encrypted makes this worse.

For what it’s worth, I say anyone who carries around a laptop and does not encrypt their partitions is crazy.

0 votes

Danny Stieben

That specific example applies to those who use entire disk encryption. It’s a lot harder for GRUB to find the Linux kernel (and all other files) that it needs to boot off of if the partition it’s located in is encrypted.

0 votes

Joseph

GRUB can’t boot from an encrypted partition so full-disk encryption with GRUB requires an unencrypted boot partition. I believe GRUB2 can though.

0 votes

Robert Ruedisueli

I really wish they would create a subdirectory in your home directory called /home/{username}/secure/

This would make it nice and easy to stick all your encrypted things in one place.

Additionally, on any program that you want to have it’s config files encrypted, you can set it to use that as the config directory instead. (Hopefully they can set this up as an easy to set up option as well, on programs that it would be popular to do this.)

0 votes

Rudi Pittman

What prevents you from creating a secure partition and then symbolically linking to it from your home dir to create the secure dir you say you want? Same with config files etc..just repoint them.

0 votes

Danny Stieben

The only thing that would prevent anyone from doing that is the amount of Linux knowledge they have. While you, Robert, and I would be able to do something like that, other people would refuse to try or some would require a tutorial.

0 votes

Danny Stieben

That certainly would be a great idea to make encryption of important files easier.

0 votes

Joseph

Nothing is preventing you – check out encFS.

0 votes

Matt

In the age of virtually everything being on computer, medical, financial records and alike, Encryption is a must. If not the whole disk then at least /home.

0 votes

Don

I encrypt the entire home directory and “data” directories, especially on laptops and netbooks. I have not noticed a performance penalty. The only penalty per se is during the initial encryption set-up in which I opt to write random data to the encrypted partition.

I use external USB hard drives for backup and I encrypt the entire backup drive as well. Every pendrive I have is encrypted… Before getting on the encryption “bandwagon”, I had misplaced a pendrive that I keep design work on. I spent the better part of a week worrying about someone accessing my intellectual property. I was relieved to have found the pendrive in the clothes dryer lint trap!

Since then, anything (computer, pendrive, hard drives) that can be stolen, lost, or misplaced is encrypted. Period.

0 votes

K. Darien Freeheart

Encryption is not a “beginner” tool set. If you’re working with data that is so sensitive it requires encryption, you should not be at the “beginner” level.

Users are, by far, the weakest part of any security scheme. Until you realize that, your data is horribly insecure. Any person or company who trusts someone with vital data should do as much to educate the user about best practices because it’s far more valuable than a complicated and complex encryption system.

0 votes

Dave R

True enough that encryption is not for “beginners”, but there are a lot of people who are not computing professionals but nonetheless need encryption. Healthcare providers, attorneys, law enforcement officers – all deal with very sensitive data, and while they are not “beginners” in their chosen fields, they often use computers at the beginner level. Administering encryption systems is simply not what they’re good at.

For these, home dir encryption strikes a balance, to your second point – it transparently forces the user to make use of the encryption (they would be more likely to ignore or bypass a selective system like Truecrypt) while not requiring too much administrative knowledge.

Fortunately, when it comes to backup and recovery (probably the only valid concern of the OP), users in these contexts typically have IT departments supporting them who can provide recovery assistance.

0 votes

Danny Stieben

I have to agree with both you and Dave. Both points are valid, so I suppose it’s up to the user (or admin) to make the decision of what would be riskier.

0 votes

Sum Yung Gai

Danny, thank you for your article, even though I disagree with the premise in it. I’d like to provide another view.

The concerns you raise about recovery are valid. The solution to that is to have something like an encrypted storage volume (e. g. a USB hard disk) that has a backup copy of everything. Given the low cost of high-capacity USB hard disk drives nowadays, there really isn’t an excuse anymore like there might’ve been years ago.

Now, why should the data be encrypted? Simple: privacy. We as people have a natural right to privacy, be it from thieves, governments, or other prying eyes. You might have something on your computer that might embarrass you later on. You might not. Either way, as long as you’re not hurting someone else, it’s none of my or anyone else’s business–only yours. Today, strong encryption is the best tool to ensure that privacy.

Furthermore, enterprises have a real need to ensure that data are protected. If a laptop gets stolen or lost, you don’t want *anything* to be able to be read and interpreted off of the thing. Typically, enterprises have backups of data stored in locked vaults full of tapes or other backup storage media. Therefore, should a disk drive actually go bad, you don’t need to try to read from that hard disk. You just put a new hard disk into the computer, re-image it, and restore the data from the backups.

–SYG

0 votes

Danny Stieben

As I acknowledged in earlier comments, I see that backups could be helpful in a full reinstallation scenario. I also don’t recommend people to not exercise their right for privacy, but I am just trying to make people aware of how they achieve that and what techniques could lead to which consequences. I suppose the title of this article is a little misleading because it is too general. Finally, yes, enterprises have their own needs, but they aren’t the target of this article.

I appreciate your other view, however, as you and others bring up good points. :)

0 votes

Ed

This sound like a whole load of nonsense to me. Simply do regular backups of your system and keep the encryption of your file systems for safety.

0 votes

old486whizz

No GUI for getting data off? I plug in an encrypted drive into my PC and KDE comes up prompting me to enter a password…
After entering the password, KDE presents me with a mount option and opens it in my file browser.

Ubuttnu gives me the giggles. People use it and don’t actually know what it means when they do these things.
In other Linux distros, /home is set up as a separate partition by default, and encryption is done under the filesystem level (ie, only using some CPU to encrypt/decrypt – almost no IO overhead).

Also, your “recovery is harder” is invalid. Encryption is separate to the filesystem layer (or at least it should be), meaning the only problems you have are problems you would have in all other situations. Recovery is the same.

Look up LUKs and cryptsetup. Yes these are the command-line level I use, but they have GUI tools too.

0 votes

Danny Stieben

If you’re in a recovery situation and have no other computers you could use to plug in your hard drive, then there’s no GUI. KDE can’t help if you can’t reach it.

Additionally, people who blindly check the encryption box and forget about it will be pleasantly surprised when the regular recovery instructions they find happen to fail. While it doesn’t make recovery hard for those who know a thing or two about Linux, others won’t like the extra steps it will take.

0 votes

old486whizz

All liveCD/USB solutions use a GUI nowadays (gnome usually).
Ever since Knoppix we’ve been able to boot into a GUI to rescue our machines – your argument is moot.

Along the lines of their instructions, sure. Although with ubuttnu I would assume that someone has written an encryption recovery guide out there for various setups.. But then again, when you have to run a “grubby-install” or “fsck”, most people would feel way out of their depth.

0 votes

Mark

Dan -
I had the nightmare scenario happen to me – installed linux on an older gateway and checked the encrypt box because I was a noob to linux. Then, after 3 months, the power supply checked out. I salvaged the hard drive, but couldn’t get to anything i needed. Is there a way to get my stuff back easily that you can point me to? There’s nothing super critical on there that I need ASAP, but I would like to get back some stuff that I invested time in…Thanks!
Mark

0 votes

Danny Stieben

It depends on what you used to encrypt the hard drive. From what you’ve told me, the only thing I can recommend is plugging the hard drive into another computer and running a LiveCD on that system to see if you can enter in a password. I’m not quite sure if anyone else would have something to add…

0 votes

Quintes

Oh my goodness.. my home is encrypted and i have some truecrypt containers on it.

0 votes

John

A more elegant way to access your files is to boot a Fedora live CD. If the disk is available you will be asked for your password. Also, if you don’t want to partition a whole partition you can use Encrypted Virtual File System (EVFS).

TBH I’ve never seen so much bad advice in one post as I have seen here. I thought the masters of FUD were m$.

0 votes

Danny Stieben

EVFS? Another Fedora easter egg I never knew about?

0 votes

Glyn

I agree. Even the most sensitive data can be stored in a container. advantage here is that it is portable and recoverable like any other file. It’s what I use at home for work.

0 votes

Danny Stieben

Exactly! It’s just easier to manage the encryption and the files within that way, IMO.

0 votes

Albin

I like to use Dropbox to keep my netbook in sync with the desktop (and use a different service for file backup/storage as distinct from sync), but had nothing but trouble with synchronizing TrueCrypt containers for confidential data, and gave it up. Instead of synching a changed and closed encrypted container, DB creates “conflicted copies” of it. I’m able to use SyncBack over wi-fi to manage the problem, but don’t know of any (free) online sync that handles encryption.

0 votes

Jon O

While this doesn’t directly relate to Linux I thought this story might be of use to some. My mother runs a Tax business where the main PC is a laptop. Obviously this has lots of personal data for many people and would be bad for someone to get ahold of. Now she tries to do the right thing, backups, encrypt data incase of theft/loss. I being the “IT” dept did just that. The machine is a Windows box with Truecrypt running for whole drive encryption. One day she goes to turn the computer on and it just sits there and does nothing. I look at it and find that the MBR and partition table had been corrupted. So pulling the drive and plugging into another system didn’t directly do anything. She does her own backups periodically (mon/wed/fri end of day) but being that this happened on an off day (wed) all stuff done the previous day would have been lost. She was out and I was not available immediately for consult so she went to a local place I told her to consult should I be unavailable for any reason (they have people smarter than me just incase). After some work they determined a worst case scenario occured. Something caused corruption to many areas of the disk. The MBR/partition table, Truecrypt headers both primary and backup, were destroyed. Since then a new solution has been installed whereas the computer does a secured tunnel backups to my personal server which does triplicate mirrors to supplement her own local backups. My main reason for posting this is as I’m sure many of you can see, this scenario could easily happen to a user beginner, advanced, or even some administrators. I hope this helps others in protecting against a disaster scenario. I do realize this is not a typical issue one would run into but alas it is a scenario that does and can happen. I highly recommend encryption where it is feasible, I personally run Ubuntu on 2 machines using whole drive encryption with MBR/partition table backups, key header backups, and then in OS backup software doing online backups. Solutions for the paranoid is my motto these days. Anyway sorry for the long post everyone enjoy their day.

0 votes

Chris Hoffman

Encrypted partitions may not be necessary for everyone, but certainly they’re important for people that need better data security.

An encrypted truecrypt container doesn’t prevent people from reading data out of your swap partition, while an encrypted swap partition will.

I’ve heard enough stories about employees losing unencrypted laptops containing important data to not want to discourage everyone from using encryption.

0 votes

Ehrich

I get that you’re a senior in high school and that you’re a bit inexperienced but let me give you some advice:

If two of your four points are the same point, you don’t have four points, you have three. It sounds cute in theory, but in reality it makes you look like you really don’t have much to say on the subject and are just bolstering your numbers.

If one of your three points isn’t a reason NOT to use said product but rather your reasoning to use what you think is a solution then you have two points, not three.(you would address TrueCrypt in the conclusion, FYI)

Now, let’s address why some of us encrypt our entire partitions. If you only encrypt your important stuff, only your important stuff will be encrypted so there is no question what to attack. That’s why we encourage using encryption on ALL of your email. Doing so prevents anyone curious from knowing if you’re sending pics of your Aunt Edna to your mother or if you’re discussing your important business with your mother. By the same token, someone can’t tell the difference between newly written sectors due to you updating your system(or browsing cache or a million other mundane things) and newly written sectors due to you writing your secret plans to disk.

0 votes

Matthew Bradley

I use Crunchbang with full disk encryption. It makes everything simpler since the whole disk is done and as such, unlocked with the single entry of a passphrase at boot time. I also allow automatic logon of my user account subsequently, so once the encryption passphrase has been entered at power on, the next thing you know is your desktop is ready. Nice. Crunchbang is lightweight too, so I’ve not noticed any kind of performance degradation, unlike my works windows laptop which has been practically unusable since the day it got full disk enc.

Detailed review by me, here
http://www.cyberfella.co.uk/2012/05/09/xubuntu-vs-crunchbang/

0 votes

Danny Stieben

Thanks for the link, Matthew!

0 votes

John

So your four reasons are recovery is hard, recovery is hard, it may be slow and containers are better.
Recovery is hard – yes, but this is assuming you do not have a secure backup. You then say you might not have another computer to put the disk in. At this point if you are not using a LiveCD you have issues anyway. The whole point of encryption is that it is hard to get into.
Slower – yes. But only fractionally. Not that much depends on disk access unless you are trashing the disk with a database. Other bottlenecks will exist such as bandwidth.
Containers is an odd choice for better alternative. It is easier for me to run truecrack against a container than trying to crack a disk encryption. But that is back to recovery is hard.

0 votes

Aaron Wright

The data recovery issue is no joke. The reason I am here in the first place is because I am reinstalling linux. After a botched SolusOS install on my netbook, I ended up stuck in the grub rescue prompt. Having no CD drive and and no way to boot took me 3 days to figure out anyway. Having it encrypted would have been the last thing I needed.

I finally got it working though, and have a fresh (unencrypted) install of Mint.

0 votes

Phil

I think the title of your article is misleading. ’4 Reasons Why You Shouldn’t’ should be ’4 Things To Be Mindful Of’ this just sounds like you are bashing disk encryption. Data recovery is not difficult on any platform at all. I taught my sixty-five year old mother how to do it in one text from the other side of the planet. I also think that FULL disk encryption should be encouraged with modern day journalling file systems and SSDs. I don’t dislike your writing, please just be a bit more thorough.

0 votes

Jus0c

Very good article but I would disagree on the potential for system impact, I’ve used the LvM2 with AES256 and the performance impact was not noticable or negligable on a machine with 2GB of ram and an old AMD AthlonXP.

It makes recovery harder you say, isnt that the whole onus of the idea of using it in the first place?

However I must rate you on your choice of encryption software being Truecrypt instead of bit locker.

Bit-Locker might seem really cool but heres the low down for people not in the know, Bit-Locker encryption is pointless because with one or two simple command’s anyone can defeat it and retain anything you nievely believed it had secured. To obtain the recovery password for volume C: simply issue the following command on any Bit-Locker secured system at the command prompt:

manage-bde.exe -protectors -get C: -Type recoverypassword

However I should point out Truecrypt containers can also be broken with a brute force tool called Truecrack but they would have to be able to load a list of passwords on the off chance yours is amongst those in a brute force dictionary file or try to recover the password from a LIVE system using a tool called Memory Dump.

A choice of encryption with Serpent-AES-Twofish along with SHA512 is ample protection from everybody.

Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn’t fall into the wrong hands, like any tool they can be abused and used a weapon to invade the end users privacy. So for the truely paranoid you would also use a whole host of other features like Security Certificates with RSA at around 2048 Bit with SHA512 to secure things like correspondance and email in transit, but in truth how many people actually take the time to do such a thing? Instead nearly the majority of the planet sends all there e-Mail and correspondance in the clear which is almost akin to writting a personal message on a piece of paper, folding it in half, writting the recipients name on the back and posting it in a post box without an envilope. No one would read it, would they?

0 votes

Michael

You do need to encrypt the entire hard drive, or at least the entire partition, and the reason behind that is the complex amount of logs a computer holds, from /val/logs and /home/user folders to many other places, including time stamps of when every file was accessed and modified on the computer.

0 votes

Ivan

Scenario: Buy new hard drives say six. Even though the reviews for HDD nowadays are terrible seeing as the companies don’t seem to care for them anymore. Stick all the stuff that people wouldn’t want others to have access to.
Encryption keys ?, money related documentation, porn, private family/friends pictures/videos/chatlogs/etc., other personal information, work documents, etc.
Don’t bother encrypting it after a week click click click. Return the drive. Oh hey you’ve just sent someone a hard drive full of everything you didn’t want anyone to see. Success!