pull down to refresh

Okay so maybe I'm posting too much but these sats are addictive. Someone just zapped me 500 sats for the VPN tutorial so here's another one.
Been getting paranoid about laptop security lately. Too many stories about border crossings, "random" police checks, and governments wanting to peek at your data. Time to encrypt everything.

Why LUKS?

Linux Unified Key Setup is the standard for disk encryption on Linux. Built into the kernel, well tested, and actually works. Unlike some proprietary solutions that have backdoors or break randomly.
Best part - it's transparent once set up. You unlock at boot, then everything works normally. No performance hit worth mentioning on modern hardware.

What This Does

Full disk encryption means everything on your drive is scrambled without the password. Someone steals your laptop? They get an expensive brick. Police confiscate it? Good luck accessing anything.
Only the boot partition stays unencrypted (has to be for obvious reasons). Everything else - your Bitcoin wallet, your browsing history, your embarrassing memes - all protected.

The Setup Process

I'm assuming you're installing fresh. Doing this on an existing system is possible but way more complicated.
Boot your Linux installer (I use Debian but this works on most distros). When you get to partitioning, choose manual.

Partition Layout

Create three partitions:
  • /boot (500MB, ext4, unencrypted)
  • swap (same size as your RAM, encrypted)
  • / (rest of disk, ext4, encrypted)
Some people skip encrypted swap but that's where your RAM gets dumped. Your Bitcoin private keys could end up there.

Setting Up LUKS

In the installer, when configuring your main partition:
  1. Select "physical volume for encryption"
  2. Choose a strong passphrase (seriously, make it good)
  3. Set encryption method to aes-xts-plain64
  4. Key size 512 bits
The installer will set up everything else. Takes forever to initialize on big drives but be patient.

Post-Install Tweaks

First boot will ask for your password. Then you're in like normal.
Check your setup:
sudo cryptsetup status /dev/mapper/sda3_crypt
Should show AES encryption active.
Add a second key slot in case you forget the password:
sudo cryptsetup luksAddKey /dev/sda3

Performance Check

See if encryption is actually costing you:
sudo cryptsetup benchmark
On any decent CPU from the last 5 years, AES should be fast enough that you won't notice.

Backup Your Headers

This is important - LUKS headers contain the encryption metadata. If they get corrupted, your data is gone forever.
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file luks-header-backup
Store this backup somewhere safe. Different physical location. Maybe on an encrypted USB stick.

Multiple Keys

You can have up to 8 key slots. Useful for:
  • Main password
  • Recovery password
  • USB key file
  • Emergency access for family
Add a key file:
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo cryptsetup luksAddKey /dev/sda3 /root/keyfile

USB Key Unlock

Want to unlock with a USB stick? Create a key file on the USB, then modify /etc/crypttab:
sda3_crypt UUID=your-uuid /path/to/usb/keyfile luks
Now it unlocks automatically when the USB is plugged in.

Things That Can Go Wrong

Boot partition gets corrupted? You're screwed without a backup.
Forget your password and don't have other key slots? Data is gone.
Headers get damaged? Hope you backed them up.
Power loss during initial encryption? Start over.
This isn't like forgetting your Facebook password. There's no recovery. Plan accordingly.

The Paranoid Extras

Use a detached header - store the LUKS header on a USB stick:
sudo cryptsetup luksFormat /dev/sda3 --header /media/usb/header
Now even if someone gets your laptop, they need the USB stick too.
Or use hidden volumes - create a decoy system that unlocks to boring stuff, real data hidden deeper. But that's getting into serious tinfoil hat territory.

Mobile Devices

Android has this built in now. iPhone too. But you're trusting Apple/Google not to have backdoors.
GrapheneOS and CalyxOS are better options if you want proper mobile security without corporate surveillance.

Border Crossings

Some countries can legally force you to decrypt devices. Know your rights and risks.
Having a travel laptop with minimal data and your real stuff encrypted at home is one approach. Or use cloud storage that you can't be forced to access.

Current Setup

Running LUKS on my main laptop, server, and backup drives. Never had issues. Boots maybe 10 seconds slower than unencrypted.
Sleep/hibernate works fine. Performance is identical for normal use. Battery life unchanged.
Only downside is you can't easily recover data if you screw up the passwords. But that's kind of the point.

Worth the Hassle?

Takes 20 minutes to set up during install. Zero ongoing maintenance. Huge increase in privacy protection.
Given how governments are getting more invasive and crypto holders are becoming targets, seems like a no-brainer.
Your Bitcoin wallet, your browsing history, your private communications - all protected with military-grade encryption that even three-letter agencies can't crack (probably).

Remember - privacy is a right, not a privilege. Don't make it easy for them.
50 sats \ 0 replies \ @rblb 3h
Even if you are not worried about privacy for the reasons mentioned in the post, the good thing about full disk encryption is that you can throw disks away without wiping them, because often they become unusable, but the data is still there for someone dedicated enough.
reply
50 sats \ 0 replies \ @klk 10h
This also works for servers with dropbear (lightweight SSH server) in an initramfs so that you can unlock the system remotely on reboots.
reply
This is great content. Keep sharing!
reply
10 sats \ 0 replies \ @siggy47 18h
Very good write up. Thanks
reply
10 sats \ 0 replies \ @OT 18h
Thanks! This looks like something I could use.
Bookmarked.
reply
0 sats \ 0 replies \ @kepford 3h
Yeah it blows my mind when someone doesn't use full disk encryption. LUKs is great. Been using it for years. Thanks for writing this.
reply
In which system it works because you did not specify for example works for opensus and kali linux and doesn't works for almalinux or works with all linux releases?
reply
LUKS is platform independent
reply