Linux Security

4 Reasons to Encrypt Your Linux Partitions

Christian Cawley Updated 11-11-2019

It’s simple to encrypt your home folder and other data on Linux. You can do it during installation, or at anytime using your distro.


But while useful, encrypting your Linux data isn’t necessarily a good idea. Sure, it sounds safe, so how could Linux disk encryption be a bad idea? Let’s look at why you should encrypt your Linux HDD and why you might seek out an alternative.

Should You Encrypt Your Linux Partition?

Most Linux distributions make it easy to encrypt your home folder or even entire partitions, without many issues. This is a great option to have if you need your data to be encrypted. In most cases, all you need to do is check a box, and Linux will take care of the rest.

Is Linux disk encryption wise?

Unfortunately, some people select it simply because it sounds like a good option to have. While this is clearly true, they don’t think about (or may be unaware of) the consequences. Indeed, some people don’t even know what encryption really is How Does Encryption Work, and Is It Really Safe? Read More . They just know it’s a security option. This disconnect between understanding the technology can lead to the benefits of disk encryption being overstated and the shortcomings ignored.

It’s smarter to be aware of all the facts before making a decision that irreversibly changes the contents of your hard disk drive.


Reasons to encrypt your Linux disk include:

  • Protect personal data from loss or theft
  • Prevent the theft of sensitive corporate data
  • Block remote surveillance
  • Protect sensitive data from third parties

Meanwhile, some negative consequences of disk encryption are:

  • Making data recovery more difficult
  • Making full system recovery almost impossible
  • Hitting system performance

Want to know more? Let’s check all of these in more detail.

4 Reasons to Encrypt Your Linux Drive

We’ll start off with the immediate reasons to encrypt your Linux data. This might be specific files, one or more partitions, or even the entire drive.


1. Protect Personal Data From Loss or Theft

For standard users, especially laptop owners, this is the key point. You don’t want to risk personal data and potentially access to emails and cloud accounts, if your device is stolen.

Encrypting your hard disk will block access to these items. Whether files, partitions, or the full disk is encrypted, the contents will be meaningless to anyone without the encryption key.

2. Prevent Theft of Sensitive Corporate Data

Similarly, if you use your computer for work, encryption is a smart option. Whether a laptop computer or a desktop, the device should have encryption enabled. The industry you work in can influence how important this is (e.g. protecting patient data in healthcare).

However, it is smart to just use encryption across the board in the workplace. Protecting data from corporate espionage or whaling expeditions Worse Than Phishing: What Is a Whaling Cyberattack? While phishing attacks target individuals, whaling cyberattacks target businesses and organizations. Here's what to look out for. Read More  is smart.


3. Block Remote Surveillance

Full disk encryption of your Linux system can also frustrate remote surveillance. A hacker with access to your computer will not be able to read encrypted data. A government agency charged with monitoring your data will be unable to open your files.

4. Protect Sensitive Data From Third Parties

If you manage data for someone else (whether a client, or someone in danger), disk encryption is wise. It protects them from risk, while getting you off the hook if the data is lost or stolen.

Remember: if the data remains encrypted, it cannot be read. Beyond the astronomically unlikely chance that the encryption is broken, data should be secure.

3 Arguments Against Linux Disk Encryption

Encrypting a Linux disk can lead to trouble


Disk encryption is a great idea, but be sure you know and understand the implications.

1. Disk Encryption Makes Recovering Data Harder

Encrypting your data seems like a smart option. Without decryption (linked to your account password), no one can access your data. Even if the device is stolen, your hard drive cannot be read without the decryption key.

But what if something in your system has screwed up? Whether it’s the operating system or another hardware component, you’ll probably want to move the data somewhere safe.

For unencrypted data this can be easily done by running (at the minimum) a Linux LiveCD Windows Users: Here Is Why You Need A Linux Live CD Read More on any other computer. Simply connect the hard drive to that computer and start moving your data.

But with encrypted data, it’s not as easy as that.

2. System Recovery Is Impossible With Disk Encryption

Meanwhile, if your entire Linux partition is encrypted it will be tougher recovering your system when needed. For example, if your system loses power at a critical point, you’ll need to run a recovery disc. It’s the only way to get things back to normal.

Performing recovery on an encrypted Linux system will be even harder. Without the decryption key, unless you have an unencrypted disk image, you’re on a hiding to nothing.

3. Encrypting Your Hard Drive Impacts Performance

Another item to note is that encryption may not be the best performance option for very low-powered devices. While plenty of devices are powerful enough to deal with encryption with negligible performance impact, older hardware is not.

Installing Linux on old netbooks 8 Lightweight Linux Distros Ideal for Intel Atom Processor PCs Don't let your Atom-powered laptop gather dust. Install a lightweight Linux distro and enjoy mobile computing once again! Read More and other low-power devices is fine. But do it without encryption. After all, netbooks are slow enough already. The idea is to be productive with these low-spec devices, rather than sit around waiting for them.

Linux Disk Encryption Is Your Shout

As always, what you end up doing is completely up to you. If you feel that you need to encrypt your entire home folder or even your whole partition, go ahead. So long as you’re aware of what might be facing you in the event of a problem.

On the other hand, if you prefer to leave your drive unencrypted and secure your data in other ways, you can. Just be confident your data is as secure as promised.

Decided to encrypt? Here’s how to encrypt your personal data on Linux How to Encrypt Your Personal Data on Linux Encrypting your vital data isn't as tough as you think it is. Here are three easy ways to encrypt your data: by disk partitions, by individual directories, or by individual files. Read More .

Related topics: Computer Security, Data Security, Disk Partition, Encryption, Linux Tips.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Isaac
    February 16, 2020 at 1:53 pm

    Rule 1, never encrypt /boot.
    LUKS is great, if you need it. But for home use, is the "warm-fuzzies" worth the performance?

    Just encrypt /home, and leave the rest?

  2. Hariharasudhan
    November 23, 2019 at 12:55 am

    What tyep of Encryption scheme is used here?

  3. cantstandtheidiot
    July 4, 2019 at 12:26 am

    Are you serious?
    Where can I report to take this article down because it causes harm to those living in authoritarian states when they just happen to leak data by following your approach.

    Sir, please think twice before you advise anyone to deal with encryption!

  4. vinci
    March 26, 2019 at 4:21 pm

    I can't believe what I'm reading. This article was written by a mentally challenged people or by someone working for the NSA.

  5. Bill
    March 13, 2019 at 7:06 pm


    > Recovering Data Is Harder
    Yep. THAT'S THE POINT! If you can recover it easily, so can they. ergo ...

    > Did I Mention Recovery Is Harder?
    See above. That is the point.

    > Possible Performance Impact
    Yep. Nature of the beastie. If the above isn't important to you: (a) why are reading this?; (b) if it isn't important to you / performance is an issue / you are in an absolutely physically secure location (nobody can get in to steal the disk), then don't encrypt.

    > Last but not least, do you really need to encrypt vital system folders or partitions to protect your data?

    Yes. fire and forget. No ... did I remember to put that file in a secure location. What about working or intermediate or /tmp copies ... it's just done and safe.


  6. realware
    September 14, 2018 at 11:38 am

    This is the dumbest article about encryption I've ever read on the web. Plase encrypt your data if you feel the need to.

    It's like telling people to leave they house doors open, just becasue you know, it could happen that you loose the key.

    Just be sure to store a backup of the encryption/gpg keys, or whatever tehnology you use to encrypt, in a safe place, and do dry run tests to check the data are recoverable after being locked up.

    Maybe Image or clone the drives in a safe place as a backup measure too, it all depends on the relevance of the data you need to protect.

  7. Jack
    October 28, 2017 at 4:30 am

  8. Joe Bob
    September 26, 2017 at 5:44 pm

    I would have a hard time recovering data from a hard drive with an oscilloscope too......

  9. Don Joe
    September 13, 2017 at 5:29 am

    No shit data recovery is suppose to be hard, that's the point
    shit article

  10. Jez
    June 25, 2017 at 2:58 pm

    What complete shit. The whole point of disk encryption is to make it difficult to access your files.

  11. Anonymous
    May 16, 2017 at 12:10 pm

    Not encrypting System and encryipting anything else is of no use.
    System as well as appiclations store data where ever they want when ever they want without letting users know where neither when.
    Simple sample: Windows Virtual RAM (pagefile.sys) if you disable it some applications refuses to even open when lauched, if you ler it enable, anything on ram can go to that file... so most normal users need to have such file and have it on an encrypted place... not to mention hibernation, etc.
    Another sample: where does most eMail aplications store their data? or where goes the files opened from inside a compressed file like ZIP / 7z etc? Normally into temporal directories on the system partition.
    Extreme sample: Do you know all source code of all the applications that are running (like services)? if the answer is no, you do not know what they save on the disk neither where they save it, neither when they save it... so your confidential data (that one that you have inside encrypted containers) can be on risk, can be saved in plain.

    But did you ever know that last 100 states of any BIT of the disk can be recovered with special forensic laboratory techniques by not reading (analysing) at low level the surface / chip... like electronic microscopes, etc?

    If you store your data on plain, it will be recoverable (at a high, really high const) also if you overwrite it (called wipe) less than one hundred times.

    So encripting anything else than 100% of the full system is of no use... unless:

    1.-You do not have Internet connection on it (neither any other way of external connection)
    2.-You have military security physical access level to it (while you are in and out)
    3.-You want to send to other place some data (using a container is enough)
    4.-On that destininy points 1 & 2 are also true for you or for the reciever of data

    Else, allways encrypt all the harddisk... also more, all storage mediums that are present.

    Imagine a script that looks for a not mounted writable storage place, mounts it in write mode, do the writes, unmount it and clean all traces of that... well, not hard to imagine, a simple efficient keylogger on boot will do such; then when booted another piece of software would read such data and sent it to a server... you pre-boot passphrase has been sent! sorry, now you are not safe anymore!!! well, there are on internet some troyans that just do such thing.

    So having all data / system / etc is a must if you want your data to be safe.

    If you thing my data is on the USB stick and it is encrypted, so i am safe accesing it on a non system 100% encrypted ... you are totally wrong!

    When you open a document... where is that auto-saved file stored? in your pendrive or in a temporary folder on the system? If you do not have full source code asscess (OpenSource) who knows!

    etc. etc. etc.

    Sorry to be so crude... if there is a piece of place where data can be stored on plain/clear mode, your data is in risk... most if using Windows.

    For windows users: remember that BSOD (Blue Screen of Death) it dumps all the ram to the disk (partition system) if that part is not encrypted (only possible is the whole windows system partition is encrypted) all the ram will be written in celar mode... your 'private' is not anymore private... now anyone that stole that disk can get their hands on it... and on Windows it is really easy to cause such BSOD fails.

    For Linux users: Same applies to kernel panic as for Windows BSOD, etc. there are some micro-apps that can cause intentionally a kernel-panic, so be aware!

    Just not to make anyone bored... if you need something to be private... ensure it will not be copied anywhere you do not want to... if you can not control what a system does, do not use such system or encrypt any byte it can access.

  12. Anonymous
    May 8, 2017 at 1:08 am

    1) truecrypt had its days, and are no longer secure..
    2) yes users should choose to encrypt all the whole drive, BECAUSE every file can be modified, which means that anyone who know how to do so could install malware code into any file..
    3) by just encrypting some files, you leaves the unencrypted files at risk of being stolen, viewed and modified.

    conclusion: use luks with nuke enabled

    • morat
      June 26, 2019 at 6:54 pm

      this is fake rumor. Truecrypt is so good, that the NSA cannot decrypt it. they forced the Truecrypt Programmers to stop developing. I don't have to tell you never use Win10 or iOS. they both are ugly spyware by design.

  13. Greg
    March 10, 2017 at 10:54 am

    What a pile of bullsh*t. Is it not obvious that by encrypting your HDD you would conciously take decision on lower impact or problems with data recovery? It is obvious, and you mitigate risk of data loss by simple solutions like backups.

  14. Jonathan
    February 21, 2017 at 12:01 pm

    This article is terrible.

  15. codywohlers
    February 10, 2017 at 7:22 pm

    Good article but clickbait headline. 4 Reasons? You only listed 3 and two of them are the same!

  16. nuno
    January 29, 2017 at 2:46 pm

    Was hard to read the full article as the images took all the credibility.
    Your text just gives the impression that you should read a bit more before writing about it.

  17. Bob
    January 23, 2017 at 6:08 am

    Simply an advertisement for TrueCrypt. Nothing more.

  18. Common_Sense
    December 30, 2016 at 1:12 am

    This is irresponsible drivel. FDE helps to ensure the integrity of the system as well as protecting the logs and caches you wouldn't think* you'd need to encrypt.

  19. Jacques
    December 28, 2016 at 6:12 am

    don't agree with you at all. encrypted a full disk allows you the freedom to store anywhere, and not constantly think about what is and what is not sensitive data. should anything go wrong, that's why you have backups, right? you do have backups, don't you?

  20. en-su
    November 20, 2016 at 2:48 pm

    I made 16.04 encrypted...whole partition, but have ssd drive. I did not noticed any "slow down". Swap is 0. Trim is active. Most of "funky" aplications removed include start up aplications. It is good to leave one old karnel just in case the new one will experience problem. No automatic updates, no buckup. Almost "everything" is managing manual by myself with full control. Cache, maintanance, clean up or remove I'm doing from terminal from time to time. I must admit that about 40% of "funky" aplications has been removed from the system and my laptop is still very fast.
    I agre that encrypttion with out as above might make a problems. For me the security and privacy is as FIRST. Today all your activity and data can be "seen by Big Brothers" if you have no encryption. What ever from your personal details will be "taken over" by the will stay in internet forever even after you die.

    • Youknowit
      May 11, 2017 at 11:34 am

      An encrypted hard drive will not protect you from getting hacked or being spyed on while runtime. It is against direct physical access to your machine. At runtime, after you typed in the password while booting, everything is uncrypted.

    • Elijah Beale
      May 12, 2018 at 4:17 pm

      Be aware that trim for an encrypted SSD causes a possibly meaninful security impact to disk encryption. This may cause you to disable trim. While this would be cause a performace impact and lessen the life of your SSD. trim will cause your SSD to write zeros to all discarded blocks, so a pattern will be formed. You will see where data is stored and where data isn't stored, so the attacker can focus on a smaller set of space to try to decrypt.

  21. rana
    July 3, 2016 at 5:08 am

    TY NSA!

  22. Linus
    June 29, 2016 at 4:52 pm

    I would agree with most of that, but you should help readers understands the cavets. For example, if you are carrying around Linux on a USB stick (something very easily left behind or lost), encrypting the entire system would more than make sense. Also, encrypting the system is not necessarily a protection against unauthorized read but also unauthorized write (vis a vis malware, spyware, planting incriminating evidence, etc.).

    • Cruithni
      July 6, 2016 at 3:45 am

      Precisely Linus. If one of the hoard of Pentest malevolents with the integrity of a hungry Anaconda, and they are everywhere, manages to get a ride on SMTP or something, it is far harder for them to really ruin things. They then usually they will then usually throw in a largely harmless DoS attack at you in frustration and you then know you've burleyed up a Twerp somehow. (and I'm convinced 90% of the Shutdowns attributed to Graphic bugs in the Kernel are in fact another type of misanthropic little bug entirely, that have made many peoples lives a misery for years.They turned what once was respect for study and skill, into a psychotic urge to kill.)
      Complete encryption is not so much good for protecting files, which it is peerless for, as it is a simple but effective security measure for inexperienced users, and basically because 95% of the human race are malfunctioning units by design.

      • Cruithni
        July 6, 2016 at 3:49 am

        Sorry really bad typo in there, but you'll still grok the gist I hope. Just as in the real ones, Its a manufactured reason to exist for Grammar Cops :)

      • Dicken Buhtz
        August 14, 2016 at 4:23 am

        100% of the human race, chief. I'm sorry, but neither you, nor any other human being is infallible.

  23. what the crab
    June 28, 2016 at 10:08 am

    "Use something better than full-disk encryption ... like an encrypted container ... (that protects you from absolutely nothing in case your computer is stolen)"

    Thanks NSA!

    • Ciaran
      March 1, 2017 at 11:01 am

      open source programms will not have back doors

      because there entire code is published publicly and the back door could be used by litterally anyone

  24. janny
    January 21, 2016 at 3:44 pm

    +1 for Stefan

  25. karol
    December 26, 2015 at 11:05 pm

    hahahaha, lol, truecrypt:) NSA hi!

  26. Jimbo
    December 26, 2015 at 7:39 pm

    Thanks NSA!

  27. Anonymous
    November 4, 2015 at 9:15 pm

    The worst piece of advice on the internet!

  28. stefan
    May 10, 2015 at 6:51 am

    Dear Dan,

    I used to have similar opinions about FDE; however, now I've substantially changed my mind.
    I use FDE on my ASUS netbook which serves as file/print server and runs owncloud accessible from anywhere and syncing my devices. Performance impact is neglectible, and the only thing I need to do is enter the passphrase once on bootup.

    So what are IMO the pros for FDE?

    - There is something dangerous about the idea of 'just encrypting sensitive data':
    Point is that your system needs to be able to access this data somehow, and unless you do not protect it with an extra password user tend to store sensitive credentials permanently in the unencrypted part of your hard disk. It will be easy to find it there and access all sensitive data.
    - It is somewhat difficult even for me to decide instantly if something is 'sensible' data or not and with FDE I simply do not worry about it.

    One thing though is that it is far more important to think about the data security aspects of a running system than if the system has been powered down.
    I do not power down my laptops often, just put it to sleep mode. Then it is just protected by the main users system password.
    So I assume with special hardware it would be still possible to steal data from the live laptop system.

  29. know one
    January 26, 2015 at 10:29 am

    you can use something comprimised like truecrypt!

  30. Ivan
    October 7, 2012 at 7:52 am

    Scenario: Buy new hard drives say six. Even though the reviews for HDD nowadays are terrible seeing as the companies don't seem to care for them anymore. Stick all the stuff that people wouldn't want others to have access to.
    Encryption keys ?, money related documentation, porn, private family/friends pictures/videos/chatlogs/etc., other personal information, work documents, etc.
    Don't bother encrypting it after a week click click click. Return the drive. Oh hey you've just sent someone a hard drive full of everything you didn't want anyone to see. Success!

  31. Michael
    September 30, 2012 at 2:00 am

    You do need to encrypt the entire hard drive, or at least the entire partition, and the reason behind that is the complex amount of logs a computer holds, from /val/logs and /home/user folders to many other places, including time stamps of when every file was accessed and modified on the computer.

  32. Jus0c
    September 22, 2012 at 5:44 pm

    Very good article but I would disagree on the potential for system impact, I've used the LvM2 with AES256 and the performance impact was not noticable or negligable on a machine with 2GB of ram and an old AMD AthlonXP.

    It makes recovery harder you say, isnt that the whole onus of the idea of using it in the first place?

    However I must rate you on your choice of encryption software being Truecrypt instead of bit locker.

    Bit-Locker might seem really cool but heres the low down for people not in the know, Bit-Locker encryption is pointless because with one or two simple command's anyone can defeat it and retain anything you nievely believed it had secured. To obtain the recovery password for volume C: simply issue the following command on any Bit-Locker secured system at the command prompt:

    manage-bde.exe -protectors -get C: -Type recoverypassword

    However I should point out Truecrypt containers can also be broken with a brute force tool called Truecrack but they would have to be able to load a list of passwords on the off chance yours is amongst those in a brute force dictionary file or try to recover the password from a LIVE system using a tool called Memory Dump.

    A choice of encryption with Serpent-AES-Twofish along with SHA512 is ample protection from everybody.

    Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused and used a weapon to invade the end users privacy. So for the truely paranoid you would also use a whole host of other features like Security Certificates with RSA at around 2048 Bit with SHA512 to secure things like correspondance and email in transit, but in truth how many people actually take the time to do such a thing? Instead nearly the majority of the planet sends all there e-Mail and correspondance in the clear which is almost akin to writting a personal message on a piece of paper, folding it in half, writting the recipients name on the back and posting it in a post box without an envilope. No one would read it, would they?

  33. Phil
    September 18, 2012 at 10:17 pm

    I think the title of your article is misleading. '4 Reasons Why You Shouldn't' should be '4 Things To Be Mindful Of' this just sounds like you are bashing disk encryption. Data recovery is not difficult on any platform at all. I taught my sixty-five year old mother how to do it in one text from the other side of the planet. I also think that FULL disk encryption should be encouraged with modern day journalling file systems and SSDs. I don't dislike your writing, please just be a bit more thorough.

  34. Aaron Wright
    September 14, 2012 at 7:56 pm

    The data recovery issue is no joke. The reason I am here in the first place is because I am reinstalling linux. After a botched SolusOS install on my netbook, I ended up stuck in the grub rescue prompt. Having no CD drive and and no way to boot took me 3 days to figure out anyway. Having it encrypted would have been the last thing I needed.

    I finally got it working though, and have a fresh (unencrypted) install of Mint.

  35. John
    July 24, 2012 at 11:19 am

    So your four reasons are recovery is hard, recovery is hard, it may be slow and containers are better.
    Recovery is hard - yes, but this is assuming you do not have a secure backup. You then say you might not have another computer to put the disk in. At this point if you are not using a LiveCD you have issues anyway. The whole point of encryption is that it is hard to get into.
    Slower - yes. But only fractionally. Not that much depends on disk access unless you are trashing the disk with a database. Other bottlenecks will exist such as bandwidth.
    Containers is an odd choice for better alternative. It is easier for me to run truecrack against a container than trying to crack a disk encryption. But that is back to recovery is hard.

  36. Matthew Bradley
    July 10, 2012 at 3:06 pm

    I use Crunchbang with full disk encryption. It makes everything simpler since the whole disk is done and as such, unlocked with the single entry of a passphrase at boot time. I also allow automatic logon of my user account subsequently, so once the encryption passphrase has been entered at power on, the next thing you know is your desktop is ready. Nice. Crunchbang is lightweight too, so I've not noticed any kind of performance degradation, unlike my works windows laptop which has been practically unusable since the day it got full disk enc.

    Detailed review by me, here

    • Danny Stieben
      July 19, 2012 at 10:16 pm

      Thanks for the link, Matthew!

  37. Ehrich
    May 19, 2012 at 2:08 am

    I get that you're a senior in high school and that you're a bit inexperienced but let me give you some advice:

    If two of your four points are the same point, you don't have four points, you have three. It sounds cute in theory, but in reality it makes you look like you really don't have much to say on the subject and are just bolstering your numbers.

    If one of your three points isn't a reason NOT to use said product but rather your reasoning to use what you think is a solution then you have two points, not three.(you would address TrueCrypt in the conclusion, FYI)

    Now, let's address why some of us encrypt our entire partitions. If you only encrypt your important stuff, only your important stuff will be encrypted so there is no question what to attack. That's why we encourage using encryption on ALL of your email. Doing so prevents anyone curious from knowing if you're sending pics of your Aunt Edna to your mother or if you're discussing your important business with your mother. By the same token, someone can't tell the difference between newly written sectors due to you updating your system(or browsing cache or a million other mundane things) and newly written sectors due to you writing your secret plans to disk.

  38. Chris Hoffman
    May 19, 2012 at 1:19 am

    Encrypted partitions may not be necessary for everyone, but certainly they're important for people that need better data security.

    An encrypted truecrypt container doesn't prevent people from reading data out of your swap partition, while an encrypted swap partition will.

    I've heard enough stories about employees losing unencrypted laptops containing important data to not want to discourage everyone from using encryption.

  39. Jon O
    May 18, 2012 at 11:27 pm

    While this doesn't directly relate to Linux I thought this story might be of use to some. My mother runs a Tax business where the main PC is a laptop. Obviously this has lots of personal data for many people and would be bad for someone to get ahold of. Now she tries to do the right thing, backups, encrypt data incase of theft/loss. I being the "IT" dept did just that. The machine is a Windows box with Truecrypt running for whole drive encryption. One day she goes to turn the computer on and it just sits there and does nothing. I look at it and find that the MBR and partition table had been corrupted. So pulling the drive and plugging into another system didn't directly do anything. She does her own backups periodically (mon/wed/fri end of day) but being that this happened on an off day (wed) all stuff done the previous day would have been lost. She was out and I was not available immediately for consult so she went to a local place I told her to consult should I be unavailable for any reason (they have people smarter than me just incase). After some work they determined a worst case scenario occured. Something caused corruption to many areas of the disk. The MBR/partition table, Truecrypt headers both primary and backup, were destroyed. Since then a new solution has been installed whereas the computer does a secured tunnel backups to my personal server which does triplicate mirrors to supplement her own local backups. My main reason for posting this is as I'm sure many of you can see, this scenario could easily happen to a user beginner, advanced, or even some administrators. I hope this helps others in protecting against a disaster scenario. I do realize this is not a typical issue one would run into but alas it is a scenario that does and can happen. I highly recommend encryption where it is feasible, I personally run Ubuntu on 2 machines using whole drive encryption with MBR/partition table backups, key header backups, and then in OS backup software doing online backups. Solutions for the paranoid is my motto these days. Anyway sorry for the long post everyone enjoy their day.

  40. Albin
    May 18, 2012 at 1:52 pm

    I like to use Dropbox to keep my netbook in sync with the desktop (and use a different service for file backup/storage as distinct from sync), but had nothing but trouble with synchronizing TrueCrypt containers for confidential data, and gave it up. Instead of synching a changed and closed encrypted container, DB creates "conflicted copies" of it. I'm able to use SyncBack over wi-fi to manage the problem, but don't know of any (free) online sync that handles encryption.

  41. Glyn
    May 17, 2012 at 10:48 pm

    I agree. Even the most sensitive data can be stored in a container. advantage here is that it is portable and recoverable like any other file. It's what I use at home for work.

    • Danny Stieben
      May 18, 2012 at 7:54 am

      Exactly! It's just easier to manage the encryption and the files within that way, IMO.

  42. John
    May 17, 2012 at 8:57 pm

    A more elegant way to access your files is to boot a Fedora live CD. If the disk is available you will be asked for your password. Also, if you don't want to partition a whole partition you can use Encrypted Virtual File System (EVFS).

    TBH I've never seen so much bad advice in one post as I have seen here. I thought the masters of FUD were m$.

    • Danny Stieben
      May 18, 2012 at 7:53 am

      EVFS? Another Fedora easter egg I never knew about?

  43. Quintes
    May 17, 2012 at 6:22 pm

    Oh my goodness.. my home is encrypted and i have some truecrypt containers on it.

  44. Mark
    May 17, 2012 at 5:31 pm

    Dan -
    I had the nightmare scenario happen to me - installed linux on an older gateway and checked the encrypt box because I was a noob to linux. Then, after 3 months, the power supply checked out. I salvaged the hard drive, but couldn't get to anything i needed. Is there a way to get my stuff back easily that you can point me to? There's nothing super critical on there that I need ASAP, but I would like to get back some stuff that I invested time in...Thanks!

    • Danny Stieben
      May 18, 2012 at 7:52 am

      It depends on what you used to encrypt the hard drive. From what you've told me, the only thing I can recommend is plugging the hard drive into another computer and running a LiveCD on that system to see if you can enter in a password. I'm not quite sure if anyone else would have something to add...

  45. old486whizz
    May 17, 2012 at 4:56 pm

    No GUI for getting data off? I plug in an encrypted drive into my PC and KDE comes up prompting me to enter a password...
    After entering the password, KDE presents me with a mount option and opens it in my file browser.

    Ubuttnu gives me the giggles. People use it and don't actually know what it means when they do these things.
    In other Linux distros, /home is set up as a separate partition by default, and encryption is done under the filesystem level (ie, only using some CPU to encrypt/decrypt - almost no IO overhead).

    Also, your "recovery is harder" is invalid. Encryption is separate to the filesystem layer (or at least it should be), meaning the only problems you have are problems you would have in all other situations. Recovery is the same.

    Look up LUKs and cryptsetup. Yes these are the command-line level I use, but they have GUI tools too.

    • Danny Stieben
      May 18, 2012 at 7:51 am

      If you're in a recovery situation and have no other computers you could use to plug in your hard drive, then there's no GUI. KDE can't help if you can't reach it.

      Additionally, people who blindly check the encryption box and forget about it will be pleasantly surprised when the regular recovery instructions they find happen to fail. While it doesn't make recovery hard for those who know a thing or two about Linux, others won't like the extra steps it will take.

      • old486whizz
        May 18, 2012 at 5:00 pm

        All liveCD/USB solutions use a GUI nowadays (gnome usually).
        Ever since Knoppix we've been able to boot into a GUI to rescue our machines - your argument is moot.

        Along the lines of their instructions, sure. Although with ubuttnu I would assume that someone has written an encryption recovery guide out there for various setups.. But then again, when you have to run a "grubby-install" or "fsck", most people would feel way out of their depth.

  46. Ed
    May 17, 2012 at 4:49 pm

    This sound like a whole load of nonsense to me. Simply do regular backups of your system and keep the encryption of your file systems for safety.

  47. Sum Yung Gai
    May 17, 2012 at 4:14 pm

    Danny, thank you for your article, even though I disagree with the premise in it. I'd like to provide another view.

    The concerns you raise about recovery are valid. The solution to that is to have something like an encrypted storage volume (e. g. a USB hard disk) that has a backup copy of everything. Given the low cost of high-capacity USB hard disk drives nowadays, there really isn't an excuse anymore like there might've been years ago.

    Now, why should the data be encrypted? Simple: privacy. We as people have a natural right to privacy, be it from thieves, governments, or other prying eyes. You might have something on your computer that might embarrass you later on. You might not. Either way, as long as you're not hurting someone else, it's none of my or anyone else's business--only yours. Today, strong encryption is the best tool to ensure that privacy.

    Furthermore, enterprises have a real need to ensure that data are protected. If a laptop gets stolen or lost, you don't want *anything* to be able to be read and interpreted off of the thing. Typically, enterprises have backups of data stored in locked vaults full of tapes or other backup storage media. Therefore, should a disk drive actually go bad, you don't need to try to read from that hard disk. You just put a new hard disk into the computer, re-image it, and restore the data from the backups.


    • Danny Stieben
      May 18, 2012 at 7:43 am

      As I acknowledged in earlier comments, I see that backups could be helpful in a full reinstallation scenario. I also don't recommend people to not exercise their right for privacy, but I am just trying to make people aware of how they achieve that and what techniques could lead to which consequences. I suppose the title of this article is a little misleading because it is too general. Finally, yes, enterprises have their own needs, but they aren't the target of this article.

      I appreciate your other view, however, as you and others bring up good points. :)

  48. K. Darien Freeheart
    May 17, 2012 at 2:22 pm

    Encryption is not a "beginner" tool set. If you're working with data that is so sensitive it requires encryption, you should not be at the "beginner" level.

    Users are, by far, the weakest part of any security scheme. Until you realize that, your data is horribly insecure. Any person or company who trusts someone with vital data should do as much to educate the user about best practices because it's far more valuable than a complicated and complex encryption system.

    • Dave R
      May 17, 2012 at 4:03 pm

      True enough that encryption is not for "beginners", but there are a lot of people who are not computing professionals but nonetheless need encryption. Healthcare providers, attorneys, law enforcement officers - all deal with very sensitive data, and while they are not "beginners" in their chosen fields, they often use computers at the beginner level. Administering encryption systems is simply not what they're good at.

      For these, home dir encryption strikes a balance, to your second point - it transparently forces the user to make use of the encryption (they would be more likely to ignore or bypass a selective system like Truecrypt) while not requiring too much administrative knowledge.

      Fortunately, when it comes to backup and recovery (probably the only valid concern of the OP), users in these contexts typically have IT departments supporting them who can provide recovery assistance.

    • Danny Stieben
      May 18, 2012 at 7:38 am

      I have to agree with both you and Dave. Both points are valid, so I suppose it's up to the user (or admin) to make the decision of what would be riskier.

  49. Don
    May 17, 2012 at 1:47 pm

    I encrypt the entire home directory and "data" directories, especially on laptops and netbooks. I have not noticed a performance penalty. The only penalty per se is during the initial encryption set-up in which I opt to write random data to the encrypted partition.

    I use external USB hard drives for backup and I encrypt the entire backup drive as well. Every pendrive I have is encrypted... Before getting on the encryption "bandwagon", I had misplaced a pendrive that I keep design work on. I spent the better part of a week worrying about someone accessing my intellectual property. I was relieved to have found the pendrive in the clothes dryer lint trap!

    Since then, anything (computer, pendrive, hard drives) that can be stolen, lost, or misplaced is encrypted. Period.

  50. Matt
    May 15, 2012 at 9:40 am

    In the age of virtually everything being on computer, medical, financial records and alike, Encryption is a must. If not the whole disk then at least /home.

  51. Robert Ruedisueli
    May 15, 2012 at 9:22 am

    I really wish they would create a subdirectory in your home directory called /home/{username}/secure/

    This would make it nice and easy to stick all your encrypted things in one place.

    Additionally, on any program that you want to have it's config files encrypted, you can set it to use that as the config directory instead. (Hopefully they can set this up as an easy to set up option as well, on programs that it would be popular to do this.)

    • Rudi Pittman
      May 15, 2012 at 9:38 am

      What prevents you from creating a secure partition and then symbolically linking to it from your home dir to create the secure dir you say you want? Same with config files etc..just repoint them.

      • Danny Stieben
        May 17, 2012 at 11:06 pm

        The only thing that would prevent anyone from doing that is the amount of Linux knowledge they have. While you, Robert, and I would be able to do something like that, other people would refuse to try or some would require a tutorial.

    • Danny Stieben
      May 17, 2012 at 11:05 pm

      That certainly would be a great idea to make encryption of important files easier.

    • Joseph
      May 18, 2012 at 5:46 pm

      Nothing is preventing you - check out encFS.

  52. jackd
    May 15, 2012 at 3:57 am

    ", and the master boot record or its configuration files become corrupted because of the sudden loss of power, you’ll need to run a recovery disc and enter in commands in the hope that it’ll return to normal"

    I may be missing something, but MBR and "boot" partition would never be encrypted, so I don't understand how having some (other) partition(s) or directories encrypted makes this worse.

    For what it's worth, I say anyone who carries around a laptop and does not encrypt their partitions is crazy.

    • Danny Stieben
      May 17, 2012 at 11:04 pm

      That specific example applies to those who use entire disk encryption. It's a lot harder for GRUB to find the Linux kernel (and all other files) that it needs to boot off of if the partition it's located in is encrypted.

      • Joseph
        May 18, 2012 at 5:45 pm

        GRUB can't boot from an encrypted partition so full-disk encryption with GRUB requires an unencrypted boot partition. I believe GRUB2 can though.

  53. Rudi Pittman
    May 15, 2012 at 3:05 am

    You forgot to mention the necessity of running encryption of your home partition on linux laptops to protect your data in the event of theft.

    • Robert Ruedisueli
      May 15, 2012 at 9:28 am

      Anyone who carries around a laptop with unnecessary data on it is crazy IMHO.

      • Rudi Pittman
        May 15, 2012 at 9:35 am

        Some of us actually use our laptops for something besides gaming, web surfing and porn. What's your definition of unnecessary data? If I keep digital copies of documents I might need while travelling such as medical records, passport info etc it's hardly unnecessary but I certainly don't want just anyone having access to the information.

    • Danny Stieben
      May 17, 2012 at 11:01 pm

      Thanks Rudi, but that wasn't the point of the article. Listing reasons why people should use encryption is a whole other topic that requires a separate article or two. Yes, laptops should be more common to have encryption, but my article still applies to make people think about the decision.

  54. Rob
    May 15, 2012 at 2:49 am

    I'm not completely convinced about the 'recovery is harder' argument. The simplest solution is to have a good back up system in place. Period. Whether your system is encrypted or not, you can have data loss with partial or complete drive failure anyway. Yes, you can obviously recover more of your files if the system is not encrypted, but you've already lost if you're trying to recover images and documents off of a corrupted drive anyway. Back it up, simple solution.

    The performance point is okay, but still not really good. Phoronix did calculate performance metrics with and without encryption here: Generally if you're hard core about performance, it's not the hard drive encryption that is going to make or break something, look elsewhere (tmpfs for /tmp or web browser cache, for example). My netbook is over three years old, and runs both XP and Linux just fine with encryption (Truecrypt for XP, dm-crypt for the Linux).

    And using a volume specifically for encrypted files works, and I do encourage that. Really the only flaw is people need to readily think about what they do and don't want in the encrypted volume. Or consider applications that may write things in odd places that should be encrypted. You don't need to worry about that for full disk encryption.

    All in all, props on the article. Though I don't agree with everything, we all do need to encourage people to think about encryption more.

    • Danny Stieben
      May 17, 2012 at 10:59 pm

      Yes, I agree that backup is important. If you simply reinstall the OS and restore from those files, then it should be just fine, I agree. In the article my main focus as far as restoring goes was if some system component started acting funky and causing the system to not boot properly, but I suppose I didn't put enough emphasis on that.

      As for your other two points, you have a good support for what you say. I guess we can conclude that there are always pros and cons for encryption.

      Thank you! And yes, I think so too. I didn't write this in a "I'm an expert, so do what I recommend" manner because A) I'm an enthusiast, not a complete expert, and B) the main reason why I wrote this article was to challenge people and make them think about encryption so that they are more conscious of what they're doing. And I think that I'm achieving that.

  55. Dan
    May 14, 2012 at 10:44 pm

    If you're installing Linux in a laptop, then I would strongly suggest encrypting the /home folder (and maybe even /swap if you're paranoid). Data loss is much worse than just losing a physical computer. The thief could gain access to confidential personal data, banking data, passwords, personal medical info, sensitive business and corporate data, "intimate home videos", etc. On a desktop which can be secured in a home or office, encrypting the entire partition may not be as critical; but a portable device like a laptop it is a must because it is easier to lose, misplace, or be stolen.

    My laptop is Win7 but I encrypted the whole drive using Truecrypt. I also have linux installed in my usb drive if I need it, and yes the /home folder is encrypted.

    • Paul
      May 15, 2012 at 5:22 am

      All this is irrelevant if the person doesn't follow some simple security practices or if the distribution doesn't secure their system. On Ubuntu based systems, even if you've encrypted the home partition, when booting select the Linux in recovery mode, then choose the command line in super user option and one command will change the user password, the unfortunate side effect of Ubuntu trying to make the system more convenient for users by reducing security. Way around it is to encrypt the whole disk or enable the root account with a root password. As for the boot partition becoming corrupted, which is always a risk, make a backup copy of the boot files, this is the easiest solution to deal with this.

      • Danny Stieben
        May 17, 2012 at 10:51 pm

        Since passwords can be changed as you stated, that's why I still believe that using TrueCrypt is better, because if someone does get into your user account by changing the password, they still cannot access the TrueCrypt container.

      • csr
        October 12, 2012 at 10:11 pm

        Wrong. Changing the user password from an admin account will not allow access to an encrypted home directory. You cannot change an encryption key without knowing the previous key. If the admin changes the user password, then the encrypted user home will not be mounted when the user logs in with the new password.

    • Danny Stieben
      May 17, 2012 at 10:50 pm

      You have a good point. While I still recommend using something else like TrueCrypt for encrypting "regular" data, I understand what you're saying when it comes to data that is usually stored in hidden folders such as browsing info. However, I see that as the only possible reason to encrypt the home folder as regular data can be encrypted with TrueCrypt and system files shouldn't have a need to be encrypted.

      • Paul
        October 13, 2012 at 6:02 am

        It depends on how paranoid you are, there is a good reason to encrypt system files to protect against off-line tampering such as the installation of keyloggers or malware. It is definitely something the user has to think about and weigh up all the options. In Linux you also have an option, in most distributions, to create a separate home partition, in which, in theory, all the user settings and options as well as program data "should" be saved, if the software developers write their software as they should. I do agree that even if you don't choose this option, as in Ubuntu, creating an encrypted home folder will also deal with that issue. @CSR, thank you for correcting my mistake with regards to the password change as I was unable to find any definite information about it. If anybody is interested and using Linux they should check out "CryptKeeper", which is not cross-platform unfortunately, but it does work very well with cloud storage such as Dropbox.

  56. Free as in Freedom
    May 14, 2012 at 10:36 pm

    If you follow best practices and do regular backups, which can be encrypted themselves, you do not have to worry about these reasons not to encrypt your partitions.

    Also, I'd just like to interject for a moment.
    What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

    Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called “Linux”, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project. There really is a Linux, and these people are using it, but it is just a part of the system they use.

    Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux” distributions are really distributions of GNU/Linux.

    • Dan
      May 14, 2012 at 11:11 pm

      Looks like someone drank Stallman's kool-aid. Unlike you and the FSF, most of us aren't pedantic about it and we prefer to call it Linux for convenience.

      • gamaral
        May 17, 2012 at 2:48 pm

        Sorry Dan, you are not FREE to just call it Linux, you should call it Chrome/DWM/X11/GNU/Linux on Gentoo.

      • Danny Stieben
        May 17, 2012 at 10:46 pm

        I agree. I actually haven't seen anyone calling it GNU/Linux in a while lately.

      • uniwarp
        June 5, 2012 at 4:05 am

        that's the most irrational chain of thought i have seen in a long time... this goes for both you and all the other people who are posting nonsense replies.

        the fact is that linux was built on gnu's tools, that's how it got started and that's how it became popular. now, it's obvious that you haven't looked at a snippet of code throughout your life. if it was any other way, you would have realized that without a stable development platform, it will not be easy for any operating system to attract developers, hence users. which is exactly why calling it GNU+Linux is absolutely necessary, to give credit where credit is due.

        you people are best off reading a book or two on software engineering and operating system architecture. perhaps, it will help you appreciate the work which was done by the FSF. now, go cry in some other remote part of the internet.

        • Moneybags
          August 3, 2012 at 6:18 am

          What is this? The next generation of Linux snobbery? This kind of nonsense is over 10 years old already--I thought the community had finally grown out of these silly debates. You have absolutely zero knowlege about whether or not a person who posts on this site contributes to projects, understands operating system architecture, etc. Aside from debheads who else insists on calling the OS GNU/Linux these days? No one. You should be just as ashamed of yourself as the first person scolding people on not using your preferred label.

        • Danny Stieben
          August 14, 2012 at 6:48 am

          I actually like door number three, where we just call it by the distribution's name. It's not Ubuntu Linux, it's not Ubuntu GNU/Linux, it's just Ubuntu. :)

    • epiquestions
      May 15, 2012 at 1:19 pm

      really? did it make you feel better that you got that off your chest?

    • Danny Stieben
      May 17, 2012 at 10:45 pm

      Through backups, recovery can be easier if you simply restore from the backups in whatever way you wish, but the last two points still apply just as much.

      Thanks for lecturing me about Linux and GNU/Linux; I am well aware of that. While your comment may be an interesting read to those who don't know about it, the majority of users still call it Linux and not GNU/Linux, and we as a site need to use terms that people identify more easily. Linux is, in that case, a better choice for us to use than GNU/Linux.

  57. Truefire_
    May 14, 2012 at 7:40 pm

    I got a laugh out of 'use something better' with a screenshot from Vista :)

    • ypslinux
      May 17, 2012 at 6:45 pm

      Danny, Please never discourage people from security the computing environment. I would suggest for you to research and advise people how to recovery encrypted filesystem and folders if the primary OS of the computed malfunctioned with encrypted files.

      Privacy is a very serious matter and the Enterprise level is even more serious because they are regulations which required system to encrypt data at rest and while in motion. read about PCI/DSS 2.0 which control credit card processing... ypslinux

      • Danny Stieben
        May 17, 2012 at 10:41 pm


        Thanks for your concern, but I didn't say that they should forget about encryption altogether. I did mention that if they need encryption they should use something else, didn't I?

        Yes, on the Enterprise level things are different, but MUO doesn't cater very much to the Enterprise crowd, especially this article. This is aimed are regular users who are trying Linux and aren't sure what to do as far as encryption goes.

    • Danny Stieben
      May 17, 2012 at 10:40 pm

      Haha the focus was meant to be on TrueCrypt, but I do see your point. :P

    • Joe
      September 17, 2016 at 10:30 pm

      The only thing wrong with this article is that it doesn't have ratings at the top of it... so that I can give it a minus 10 and help other users who run into it not have to read through this... I mean really. Disk encryption has it's uses... hardware fault... backup your data. and Let's face, those interested in encrypting their drive would have a copy of the critical data.