I like to keep a key on a USB so the computer boots either with a ridiculously strong backup password or a key on a USB drive. I like tiny little USB drives. So, if you find yourself in an airport or wherever and you just "lose" the USB then the device is automatically locked down.
this post was submitted on 12 Oct 2025
315 points (98.2% liked)
Privacy
42526 readers
744 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
I built a small set of scripts to decrypt when the initrd starts and can load from a file in the initrd (from separate volume), EFI, or various combinations of passphrase in GRUB. The main intent isn't to keep out somebody with physical access to the machine and sufficient time but rather makes it a lot easier to make the data unrecoverable when the drive is disposed of.
It took me several attempts to get this right, but it's a game changer.
Yep, I made sooooo many notes and tried a bunch of different options. In the end I was able to get it working well with Grub,l and Arch.
Last time I had LUKS setup on my main laptop, there was a surprizingly sharp hit in performance.
I'm glad I have the option, but is it really the most appropriate thing for me to use right now? It just doesn't make sense to talk about security and privacy without a clear threat model first.
What kind of CPU is in that laptop? The vast majority of x86 CPUs from the past 10 years include hardware acceleration for AES encryption so that the performance hit is negligible.
It's a Thinkpad P51 with a Xeon chip of some sort. Yeah I don't know what happened there, only that switching to fedora without full disk encryption has resulted in much greater performance, like a difference between being able to do some gaming or not. So many variable changed there that I don't even know if the crypto had anything to do with it.
Sigh. It doesn't impact performance. That had a had a higher chance of being the type of partition you created. Also, in the PRIVACY group are you really confused about why you want privacy?
The type of partition I created was Debian's default settings at the time.
This is where the threat modeling comes in. The laptop in question is not currently likely to be physically searched - nor does it contain any data that is likely to put me at any risk if it is searched, and the more prudent things I can be doing to protect my privacy have more to do with getting away from Android/Play Store, and being less dependent on other surveillance-capitalism services like YouTube, Google Maps, etc.
I will likely use LUKS again in the future, but there are broader overhauls I need to make to my digital life first.
Look you don't need to be searched or expecting a search. If someone steals your laptop you are covered SIGNIFICANTLY more if it's encrypted which gives you privacy because they wouldn't be able to see your data. Doesn't matter if it's a risk to you. It's for the privacy. It's the mindset not just the random act
Currently I have fragments of my data stored on at least half a dozen devices that I've accumulated over the years. My digital life is as messy as my adhd brain. I plan on setting up a NAS at some point, and will likely both consolidate all my data there and use LUKS. But until then encrypting one drive is the least of my problems.
Although anti-theft tech in my laptop might be kind of neat.
arch linux was what forced me to use LUKS on all of my installs regardless of distros, btw.
i used the standard layout:/boot, /, /home, swap. So when the installs break, the best way to fix is to use the archiso and remount and re arch-chroot.
Well.... i found out that without LUKS, anybody can use any distros live cd and mount my stuff.
At first, I used LUKs only on the main partitions: so / and /home, or just / if no separate /home. Swap remains unencrypted. Boot is also unencrypted.
You could encrypt those too but need more work and hackery stuff:
-
encrypted boot: can be slow if you boot the compututer from cold. There's also this thing where you need to enter the password twice => think Fedora has an article to get around this. Iirc, it involves storing the boot's encrypted password as a key deep within the root directory.
-
encrypted swap: the tricky thing is to use this with hibernation. I managed to get it to work once but with Zram stuff, I dont use hibernation anymore. It involved writing the correct arguments in the /boot/grub/grub.cfg. Basically tells the bootloader to hibernate and resume from hibernation with the correct UUID.
Encfs + pam mount home.
/tmp and var/run in tmpfs
No swap.
And don't forget folks: if this drive contains your whole digital identity, make sure your next ones do have the keys. If something happens to you, it is impossible to retrieve logins, photos, whatever your kin/whomever might need from that drive.
Same goes for e.g. homeservers, VPSs or anything your family relies on: tell them where they find the relevant logins and who could possibly help them, if they're not capable. Grieving is hard enough, if they figure they also lost all memories of the beloved one, that's terrible.
This makes a world of difference
Yep. Can't recover /home if you fuck around.
Keep it simple and stupid it is for me. I prefer to encrypt only my sensible files. And the browser runs in volatile memory.
and prevents alphabet agencies from just brute forcing into your Laptop or whatever
Inserting relevant XKCD as is required by internet law: https://xkcd.com/538/
What would actually happen is a bios level rootkit that installs a nearly invisible tiny rootkit on your device everytime it starts, but this is only if you are an important target. Most police departments can also just pay a private hacking company to steal your keys by using undisclosed exploits. Encryption can work well for other things but anything you wouldn't want state or corporations seeing, you are better off just not ever putting it on your machine.
You can be private somewhat through obscurity. Using free software that doesn't log you, not using any machine that's in anyway tied to you to do stuff, setting up your own point to point connection to use someone else machine as your access point. Never having a microphone or camera anywhere near your hacking machine. I'm not really that type of hacker, more of a programmer/hardware person, but it can be done somewhat safely if you take every effort to protect your identity.
This is what I would do if I want ed to do something on the internet that might actually really piss off the FBI and NSA. Something like releasing the Epstein files to dozens of independent journalists around the world or something.
I'd get cash, and leave my phone at home, go to a thrift store and buy an old laptop. Wait a couple of months, and never power it on. I download dozens of Linux distros a year before this, something as small as possible, and lightweight as possible. Nothing network, maybe even tails.
Then I'd have it sitting on a thumb drive for many months before I dropped the files. One day before a lot of rain was coming in, I'd walk, not drive or anything, without my cell phone, using the tree cover to avoid spy satellite rewind surveillance, to a location where there is open wifi or an Ethernet jack.
Then I'd use several layers of proxying and VPNs, although this would be slow as shit. All on fresh accounts. Using nested VMs, each carrying an additional layer of VPNs. I'd use this as my set up my own network, by exploiting some random machines in the wild to get my last couple layers of VPNs.
Being careful to only type one word per second and not misspelling anything or in anyway aiding in any type of correlation attack, I'd first upload it in an encrypted format to a web host to speed up the next part, then I'd copy it to many places. I would then send it to as many people as possible, probably using a script to hit many emails addresses at once. As soon as the files hit the drive, I would assume I had about 5 minutes before the black helicopters showed up. At 5 mines I'd take a super strong magnet and start destroying the laptop, then I'd run away, find another safe spot, and then incinerate it.
Then I'd never tell anyone, go home, take a nap, wake up, talk to chatGPT about my amazing nap that I overslept on, and carve out some hidden spaces at abandoned houses and stuff to stash the actual drives with the info.
If you do anything less then this, you will probably get caught. Legal evidence is one thing, but you should never underestimate the numerous surveillance technologies they employ for unconstitutional surveillance. You n leed to be mindful of fingerprinting, (using only a throw away device and destroying it afterwards in a way that it's not obvious that it was you) nothing that has ever touched your network or any files that that came from your PC or anything. It needs to exist in a totally separate universe. No connection whatsoever) you need to be mindful of cameras, license plate scanners, cellular modem surveillance, spy satellites which can see back in time to follow someone's footsteps back through time. Correlation attacks, common word usage that can denote your region, common misspellings that you do, the particular way you type, root kits, assume every device is compromised and if you buy a device with a camera, don't even open it until it's been sitting for months and then remove the cameras and microphones, and never power it up anywhere near your house.
Another thing to be mindful of is fingerprinting your downloads, don't download something on your PC and use it on your device.
Be wary of your footprints, this is why I said you would want to do this before a storm but perhaps maybe you would even tie wood to your shoes.
If you did this you could leak something like the Epstein files and probably get away with it, but if you are one of the few people who live in a neighborhood who is a hacker, I would expect that you'd have dozens of FBI agents watching every move you do and combing through your past to find any infraction that they could try to blackmail you with.
Never ever, trust an electronic device is better advice.
idk man, but I'd still much rather have encryption, even if I'm up against the alphabet boys:
- They'll be up a creek if I escape, die, or vanish into the woods first
- If I hid a disk somewhere, I'd rather know they found it when they come to torture me, than have it inspected without hearing a word
- If all else fails, they'll at least have to expend a modicum of effort and resources to fight me
You know you're fucked if they use a wrench. That means you don't have to be seen publicly ever again. There's a chance for you if they're using a rubber hose...
load more comments
(15 replies)
I found it better to just encrypt one folder with all my sensitive info (I use gocryptfs). i saw no reason to have my zshrc and init.lua encrypted 🙂 and I just encrypt data I don't want in the hands of others...
Do both
I did think about this... but decided against it in the end. maybe on my next computer
Browsing history, Downloads folder, cache, etc. That's good to have encrypted.
ur def right about this. there are a few other things (e. g. cached mail etc) that would be good to encrypt, which I don't do right now.
if my computer gets stolen I figure no one will bother with my data unless they stand to immediately gain financially. e.g. ransom. my data (I have backups) or access my bank info (I keep this encrypted) and steal my identity. so I protect against this as best as I can without sacrificing usability too much
Also I am pretty sure I have at least some secrets in my shell history
Just encrypt your home then.
Don’t forget /tmp, and maybe logs too. Theres docker storage and kvm image locations if you use that. Maybe others. FDE also makes an evil maid attack much less trivial too.
I don't know, I don't see a lot of damage or unpleasantness stemming from someone getting into my /tmp, but I don't want any llm being fed contents of my /home. I am less afraid of an attack, as I am irked by corpos putting fingers into my shit
corpos aren’t who you’re protecting against with encrypted drives… they’re not going to gain access to anything via bypassing your OS: they get everything via software you’ve installed or things like tracking
the main thing you’re protecting against with encryption is theft (or if you think you’re being physically targeted, it also stops them from modifying your system… eg replacing your kernel or a binary that gives them access somehow)
Indeed. Best to think of disk encryption as protection from physical access -i.e., theft, but also accidentally recycled drives later on. It provides zero protection from somebody attacking your running system, that's the job of the operating system and client software like web browsers. While the system is running, the drive is decrypted and unprotected.
I just prefer fde because it's simpler. There's no guessing about what needs to be encrypted and what doesn't. There isn't any human-noticiable performance impact on modern computers, so there's not really a downside besides having 2 password prompts whenever I actually do a full reboot.
load more comments
(12 replies)
Dang, if those agencies ever see my Civilization 4 save games, I'll be so royally embarrassed that I spent so much time on it that they could blackmail me to anything.
load more comments
(2 replies)
view more: next ›