Okay so maybe I'm posting too much but these sats are addictive. Someone just zapped me 500 sats for the VPN tutorial so here's another one.
Been getting paranoid about laptop security lately. Too many stories about border crossings, "random" police checks, and governments wanting to peek at your data. Time to encrypt everything.
Why LUKS?
Linux Unified Key Setup is the standard for disk encryption on Linux. Built into the kernel, well tested, and actually works. Unlike some proprietary solutions that have backdoors or break randomly.
Best part - it's transparent once set up. You unlock at boot, then everything works normally. No performance hit worth mentioning on modern hardware.
What This Does
Full disk encryption means everything on your drive is scrambled without the password. Someone steals your laptop? They get an expensive brick. Police confiscate it? Good luck accessing anything.
Only the boot partition stays unencrypted (has to be for obvious reasons). Everything else - your Bitcoin wallet, your browsing history, your embarrassing memes - all protected.
The Setup Process
I'm assuming you're installing fresh. Doing this on an existing system is possible but way more complicated.
Boot your Linux installer (I use Debian but this works on most distros). When you get to partitioning, choose manual.
Partition Layout
Create three partitions:
- /boot (500MB, ext4, unencrypted)
- swap (same size as your RAM, encrypted)
- / (rest of disk, ext4, encrypted)
Some people skip encrypted swap but that's where your RAM gets dumped. Your Bitcoin private keys could end up there.
Setting Up LUKS
In the installer, when configuring your main partition:
- Select "physical volume for encryption"
- Choose a strong passphrase (seriously, make it good)
- Set encryption method to aes-xts-plain64
- Key size 512 bits
The installer will set up everything else. Takes forever to initialize on big drives but be patient.
Post-Install Tweaks
First boot will ask for your password. Then you're in like normal.
Check your setup:
sudo cryptsetup status /dev/mapper/sda3_crypt
Should show AES encryption active.
Add a second key slot in case you forget the password:
sudo cryptsetup luksAddKey /dev/sda3
Performance Check
See if encryption is actually costing you:
sudo cryptsetup benchmark
On any decent CPU from the last 5 years, AES should be fast enough that you won't notice.
Backup Your Headers
This is important - LUKS headers contain the encryption metadata. If they get corrupted, your data is gone forever.
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file luks-header-backup
Store this backup somewhere safe. Different physical location. Maybe on an encrypted USB stick.
Multiple Keys
You can have up to 8 key slots. Useful for:
- Main password
- Recovery password
- USB key file
- Emergency access for family
Add a key file:
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo cryptsetup luksAddKey /dev/sda3 /root/keyfile
USB Key Unlock
Want to unlock with a USB stick? Create a key file on the USB, then modify /etc/crypttab:
sda3_crypt UUID=your-uuid /path/to/usb/keyfile luks
Now it unlocks automatically when the USB is plugged in.
Things That Can Go Wrong
Boot partition gets corrupted? You're screwed without a backup.
Forget your password and don't have other key slots? Data is gone.
Headers get damaged? Hope you backed them up.
Power loss during initial encryption? Start over.
This isn't like forgetting your Facebook password. There's no recovery. Plan accordingly.
The Paranoid Extras
Use a detached header - store the LUKS header on a USB stick:
sudo cryptsetup luksFormat /dev/sda3 --header /media/usb/header
Now even if someone gets your laptop, they need the USB stick too.
Or use hidden volumes - create a decoy system that unlocks to boring stuff, real data hidden deeper. But that's getting into serious tinfoil hat territory.
Mobile Devices
Android has this built in now. iPhone too. But you're trusting Apple/Google not to have backdoors.
GrapheneOS and CalyxOS are better options if you want proper mobile security without corporate surveillance.
Border Crossings
Some countries can legally force you to decrypt devices. Know your rights and risks.
Having a travel laptop with minimal data and your real stuff encrypted at home is one approach. Or use cloud storage that you can't be forced to access.
Current Setup
Running LUKS on my main laptop, server, and backup drives. Never had issues. Boots maybe 10 seconds slower than unencrypted.
Sleep/hibernate works fine. Performance is identical for normal use. Battery life unchanged.
Only downside is you can't easily recover data if you screw up the passwords. But that's kind of the point.
Worth the Hassle?
Takes 20 minutes to set up during install. Zero ongoing maintenance. Huge increase in privacy protection.
Given how governments are getting more invasive and crypto holders are becoming targets, seems like a no-brainer.
Your Bitcoin wallet, your browsing history, your private communications - all protected with military-grade encryption that even three-letter agencies can't crack (probably).
Remember - privacy is a right, not a privilege. Don't make it easy for them.