That's very useful, thanks.
I messed up
- Thread starter Coaxalis
- Start date
Have to disagree with you. if you have the entire laptop, you can get the encryption information and keys from the TPU with the right home made device. I have seen it. The amount of protection it gives you is far outweighed by the cost. In this case the loss of data due to encryption. If you have information you are paranoid about, then put it on a usb drive and keep it in your pocket. You can encrypt that if you very paranoid.
Otherwise in my professional opinion, encryption is going to cause more harm than good in the majority of cases. I can't think of a reason that any individual needs to encrypt data at this time in history. It is more likely that you will lose passwords or keys and then be unable to get in. Case and point here. If you feel you need to encrypt then go for it but I think the evidence right here speaks for itself.
I think you mean TPM? On Linux keys don't automatically get added to the TPM you have to manually set it up. You would need to use systemd-cryptenroll or clevis to add the keys to the TPM.
Automatically decrypt your disk using TPM2 - Fedora Magazine
Entering the passphrase to decrypt the disk at boot can become quite tedious. On modern systems a secure hardware chip called "TPM" (Trusted Platform Module) can store a secret to automatically decrypt your LUKS partitions.
fedoramagazine.org
By that logic we should keep our life savings under our bedroom matras and not in a bank.
That's what password managers with 2FA are for.
I would answer this but then it would lean towards politics so I am not going to do that.
too late. you already went way off topic. I work in the field every day and every week I see people that lose everything due to encryption that either the mfg enabled or they turned on because they thought it would protect them. You will not win this argument so I advise you to not engage in it.I think you mean TPM? On Linux keys don't automatically get added to the TPM you have to manually set it up. You would need to use systemd-cryptenroll or clevis to add the keys to the TPM.
Automatically decrypt your disk using TPM2 - Fedora Magazine
Entering the passphrase to decrypt the disk at boot can become quite tedious. On modern systems a secure hardware chip called "TPM" (Trusted Platform Module) can store a secret to automatically decrypt your LUKS partitions.
By that logic we should keep our life savings under our bedroom matras and not in a bank.
That's what password managers with 2FA are for.
I would answer this but then it would lean towards politics so I am not going to do that.
yes by the way I meant TPM I was just working with a 3d printer and TPU material was on my mind. But you knew what I meant.
The topic was encryption on OP's laptop so still somewhat on topic, I didn't want to make the topic go political so that's why I did not answer the last point.
I work in a hospital with systems that store patient data you are not going to convince me that encryption is bad even for individuals. If there are too many cases of people losing data with encryption in your work experience then maybe people don't understand the concept of encryption well enough and it should be taught better so that people without IT background have less trouble dealing with it because of understanding it better. Or they should develop a form of encryption that makes it easier for people without IT background to manage their encryption setup.
The latter would actually be the better knowing how much people already hate remembering another new complicated password for another website and most people most likely use the same password or some same form of the same password for other things. Which then gets us to the point passwords in it's current state are bad even with ways to remember complicated passwords or passphrases.
still going to say you are wrong for individual use case and I will not respond to further because I have better things to do than argue a point that neither of us will agree on.
When you install a Distro everything that was on the Drive is wiped...so it doesn't matter if there's encryption of not...everything is gone.
I don't encrypt anything...I use 7 Zip to password protect a folder...much safer unless I forget the password.
I don't encrypt anything...I use 7 Zip to password protect a folder...much safer unless I forget the password.
theLegionWithin
Active Member
Banking IT here - all of our laptops and desktops require encryption per company policy. 135,000 devices in the domain. encryption is a good thing.
CaffeineAddict
Well-Known Member
Just because people lose passwords is not an argument against encryption.
There is plenty of people who do not lose passwords and I'm pretty much sure majority of them does not lose it.
You just happen to deal with people who do, but those who don't lose passwords don't come to you and tell you, hey I didn't lose my password, so your argument is biased based on a group of people who came for help.
So many points around here.
Just one main idea: encryption is useful when someone tries to get in from outside. Once you are logged in and get a malware into your system, encryption is pointless. That's why I am not quite clear how is bitwarden extension while open with a master password more secure than the browser's own password manager, even with a master password set up. One of the protection levels are that if you have the website saved in your password manager, it is unlikely you would fall for a phishing scam. A copycat website wouldn't trigger your system to enter the credentials in.
Just one main idea: encryption is useful when someone tries to get in from outside. Once you are logged in and get a malware into your system, encryption is pointless. That's why I am not quite clear how is bitwarden extension while open with a master password more secure than the browser's own password manager, even with a master password set up. One of the protection levels are that if you have the website saved in your password manager, it is unlikely you would fall for a phishing scam. A copycat website wouldn't trigger your system to enter the credentials in.
CaffeineAddict
Well-Known Member
True, but encryption doesn't deal with malware.
We need multiple protection layers to deal with everything, encryption is just one layer.
Depends on your password manager, I use PasswordSafe and it's better than browser pwd manager because it stores passwords encrypted in memory not in file.
Also autotype function ensures password doesn't get copied to clipboard which prevents malware from stealing it from clipboard.
There are other pwd manager functions that make it better than browser based one.
Your concern is basically the Evil Maid attack, one of many formalized attack types that need to be defended.
If this type of attack is a concern, the fix is simple enough. Log out when the device is not in close proximity.
I owned my own business and we would be merciless if you left your device logged in while unattended. My favorite thing to do was to take a screenshot of the desktop, disable the task bar, and then setting said screenshot as the desktop background. New people learned very quickly that we were serious about our protocol and quickly complied. If you still didn't learn, you left the company.
Aristarchus
Active Member
You guys are funny
Per company policy (at least in medical field) most boxes are Windows and per MS policy, Windows boxes have full disk encryption. Even though MS encryption does not make much sense at least from interoperability point of view.
I worked at academic system and now I am working for international company: all boxes are Windows with default settings (including Windows encryption). The simple reason is that there are too many boxes to be deployed to customize them and too many countries. And at least in medical field most instruments have Windows based software. Even though MS encryption is causing issues (e.g. direct data transfer from/to Apple hardware).
So "per company policy" means quite often just MS whim (forcing default MS encyption to get rid of the competition).
Personally I have not seen MS encrypted box running Linux if you suggest MS encryption too
Also, company and individual needs not always align with company policy.
In fact, what works for company, may not work for single user.
Yeah true, but I manage the Linux systems not the Windows systemsYou guys are funny
Per company policy (at least in medical field) most boxes are Windows and per MS policy, Windows boxes have full disk encryption. Even though MS encryption does not make much sense at least from interoperability point of view.
I would say it is an arguement against it on individual systems. corporate and places that keep information from many people or places, it is good thing. Those are handled by professionals. but on ordinary everyday people's systems it has caused more heartache than good. As pointed out, the encryption on a drive is pointless once you are signed in, and if somebody accesses the system while you are signed in, then it does no good at all. The average person is under the mistaken belief that encrypted drives keep everybody out. Then they find out the hard way that they are the one kept out when the system needs repair or if you need to recover data on the system when it is damaged. I doubt you really need to encrypt your photos and letters to mom etc.
on a system governed by hippa or banking regs it is something good.
on a personal system it is not.
If somebody is looking to steal personal information they target one place such as a bank or hospital. They do not target hundreds of individuals because it is not efficient to do that. Think this way. A smart thief does not rob hundreds of people for $100 each. he goes after the bank and takes $40,000 at a time.
In my company, we do not use encryption. at least not whole disk. we use proprietary encryption on just the private data. This means that in a disaster, we can access the drives and recover data but can't read the sensitive files unless we have the software for the encryption of those. Every week I get people come in unable to recover data due to encryption they put on. So far only one had the keys saved and retrievable. All the others lost everything and learned the lesson the hard way. You can argue all you want about good bad and don't lose keys or passwords. But the average person will lose them. Then they think that the professionals can hack in like on TV.
Oh and in answer to people that don't lose the password not telling me they are still ok, Compare that to 300,000,000 people not telling you they are fine so that means the 4,000,000 that died should be ignored. The fact it is so frequent should be enough of a sign that you should pay attention to the issue.
CaffeineAddict
Well-Known Member
@APTI
You have a point.
Not to sound silly but I consider myself professional to some degree, I use desktop PC with disk encryption enabled and I don't lose password, never did so far and I've been using disk encryption since Windows (BitLocker)
But I agree that casual users who lack enthusiasm and are not cautious should probably avoid disk encryption because they don't understand how important it is to keep your credentials in safe place.
You have a point.
Not to sound silly but I consider myself professional to some degree, I use desktop PC with disk encryption enabled and I don't lose password, never did so far and I've been using disk encryption since Windows (BitLocker)
But I agree that casual users who lack enthusiasm and are not cautious should probably avoid disk encryption because they don't understand how important it is to keep your credentials in safe place.
Haha, at my current work in our small team I seem to be the only one locking the screen when moving away from the computer.
I meant some kind of an infostealer that pulls out cookie sessions and maybe passwords from the browsers, like how is it different with bitwarden when you are logged in to log into a website? I haven't used it much yet.
Aristarchus
Active Member
Evil mail attack is not easy to defend. Even if system is powered down. It is possible modify the encryption system's loader codes to steal passwords from the victim.
