Encrypt Your Linux Laptop & Keep Your Data Private
If someone steals your Linux Laptop, what do you do.
We keep so much information on our computers these days - laptops and desktop computers, that you really don’t want unauthorised people getting hold of your data. Whether it’s access to your files or access to the websites you have logged in and told your computer to stay logged in, all those are easy pickings for a computer thief. They don’t even need to be that skilled to exploit those. Imagine the damage someone could do if they had access to your email account and could contact any of your personal contacts, pretending to be you. What would happen if they could log into any of your social media accounts as you.
I personally know someone who has a plain text file on their desktop with some account logins so they are easy to get to. If I know someone like that, then be sure that isn’t the only person who does it. Not only will a thief have access to those accounts but to more, since many people reuse the same passwords.
Give me access to your email and I can tell who you bank with, what your PayPal email address is, what social media sites and forums you use, What online shops you have accounts with and more. Since some of theses sites will will reuse the same password I can do you a lot of harm.
There are a few lessons there, like using a good password manager, locking as many sites and applications as you can, automatically when you come out of them as well as stopping thieves gaining access to your computer / drive.
So, let’s talk about encrypting your drive
If someone seals your laptop, pops out the drive or inserts a live USB stick into your laptop and boots it, they will be able to gain access to your files, even if you use a YubiKey or similar to login. Because a YubiKey protects your system from someone logging in unauthorised. It doesn’t stop access to the files by browsing the drive from an external source.
This is were drive encryption comes in. When you encrypt your drive, if someone tries to browse it from any other way than the ‘proper’ login method, they will be able to read nothing.
With encryption you need to use a passphrase to unencrypt the drive before you can even get to the system login, that is because encryption is more than just a password protected lock. When files are encrypted, it’s like all the code has been jumbled up. Just like encoded messages if you have even seen or played with them as a child - you have a special method of changing the words to something else, and only if you know what that method was, could you decipher it. e.g.
What does this say?
lzh kaddmeub pd ouuecel
Well, if you used this kids spy encode wheel, and set at it the right position, you could decipher it:
The message actually says:
The password is MrRobot
The obfuscated phrase makes no sense to us, but can be decrypted to something meaningful with the decipher code.
Modern computer encryption is actually much more complex, but this gives you a basic idea what is happening. Even if someone can see the information, it means nothing. Though disc encryption also locks access to the files too.
Two Types of Disk Encryption
There are two main types of disk encryption available to Linux users:
- Whole Disk Encryption
- Directory Encryption
With whole disk encryption the entire drive is made unreadable. The second method only encrypts the directory. The OS can be read, but the data in that directory cannot.
Here is what you can see on an encrypted drive:
The things that are needed for the boot process, Linux kernel and to request a decryption key are available, but that’s it. You can’t even see anything else.
There is very little visible, and what there is, is basically telling you that if you want to see anything, you need to decrypt it.
Nothing of any importance can be seen or accessed, not by you or anyone else without that passphrase that starts the decryption. With modern drive encryption, even security experts cannot break in without the code to open it. This is makes drive encryption so important.
Does Drive Encryption Slow Down The Computer?
Technically - yes it does. Though in real life use - no, not at all. It does take a bit of extra CPU power to unencrypt, but it really doesn’t make any different to real world use. I have an old Laptop that was has a 2nd gen Intel i5 processor, yes that’s only 2nd generation. I had only the home directory encrypted for some time, then at a later stage, whole disk encryption, both with no noticeable lag when using. I also have another laptop that is only 32bit, has a Intel Core 2 CPU @ 1.60GHz and 4Gb of DDR 2 Ram. It has full disk encryption and works just the same as if it had no encryption. Don’t you just love Linux :)
When To Encrypt
By far, the easiest time to encrypt your drive is to do it when you are installing your Linux Operating System distribution.
Up until recently, a number of distributions offered the option of whole disk or only /home at time of installation. This has changed though, as there have been problems with the encryption method that was used to encrypt only the /home directory (using eCryptfs) and not the whole disk (using LUKS). In fact, eCryptfs has been called “Buggy, under-maintained, not fit for main anymore; alternatives exist” - that kind of says it all doesn’t it :)
You still can encrypt only parts of your drive, using other methods, whole disk encryption isn’t your only choice. Whole disk encryption is a good choice though if you can do it at time of installation - there are no real drawbacks apart from having to type in an extra piece of information at boot-up time.
Whole Disk Encryption Is Not Everything
I will say this, and do please take note. Whole disk encryption won’t do you much good if you don’t poweroff your laptop between uses. If you simply hibernate or put it to sleep with commands, buttons or simply closing the lid like so many people do, your laptop is NOT protected by whole disk encryption. The encryption is decrypted at boot time, not sleep time so you need to poweroff your laptop to have the security of whole disk encryption.
For this reason, I personally have whole disk encryption plus an encrypted directory for the most sensitive of information.