Is there any reason to do full disk encryption, vs encrypting a single partiton or a folder with eCryptfs? It’s not like your /usr/bin, etc… needs to be encrypted, but encrypting it reduces performance.
Suppose you’re in some hypothetical country where torrenting is illegal. The presence of /usr/bin/qbittorrent on your disk could be enough to face charges. Unencrypted /var/log? Maybe they can see you’ve been running a cryptocurrency miner. There could be plenty of data outside of $HOME on your computer which a cop might try to use against you.
In the most paranoid hypothetical scenario, someone could mount your unencrypted /usr/bin and replace openssl with a compromised version.
/var/log and the likes aren’t really issues, I just have mine as a link to the real one in an eCryptfs folder. Though I guess you’d be right about qbittorrent, this is something pretty rare.
In the most paranoid hypothetical scenario, someone could mount your unencrypted /usr/bin and replace openssl with a compromised version.
I suppose if you’re in this situation, you have way more important things to deal with. That would imply someone has physical access to your computer, at that point if they really want to know what you’re doing they might as well setup a camera.
By default, most FDE have horrible performance hits and require significant tweaking, configuring and benchmarking to get it right depending on hardware, use cases, conditions… I’m sure there are quite a bunch of people out there who don’t want to do any tweaking while still having the performance they paid for.
Unless what you are doing is heavily I/O dependant (mostly heavy database workloads), that’s not really true anymore, especially with a modern CPU and say, LUKS encryption. Phoronix has a recent review of FDE using LUKS, and apart from synthetic I/O tests, the difference isn’t really observable.
Try cryptsetup benchmark on your pc and look at the results for aes-xts for example.
Is there any reason to do full disk encryption, vs encrypting a single partiton or a folder with eCryptfs? It’s not like your /usr/bin, etc… needs to be encrypted, but encrypting it reduces performance.
Suppose you’re in some hypothetical country where torrenting is illegal. The presence of
/usr/bin/qbittorrenton your disk could be enough to face charges. Unencrypted/var/log? Maybe they can see you’ve been running a cryptocurrency miner. There could be plenty of data outside of$HOMEon your computer which a cop might try to use against you.In the most paranoid hypothetical scenario, someone could mount your unencrypted
/usr/binand replaceopensslwith a compromised version./var/log and the likes aren’t really issues, I just have mine as a link to the real one in an eCryptfs folder. Though I guess you’d be right about qbittorrent, this is something pretty rare.
I suppose if you’re in this situation, you have way more important things to deal with. That would imply someone has physical access to your computer, at that point if they really want to know what you’re doing they might as well setup a camera.
What I’m getting at is that for people using FDE, any performance hit is worth it compared to worrying that you’ve covered every angle.
By default, most FDE have horrible performance hits and require significant tweaking, configuring and benchmarking to get it right depending on hardware, use cases, conditions… I’m sure there are quite a bunch of people out there who don’t want to do any tweaking while still having the performance they paid for.
Unless what you are doing is heavily I/O dependant (mostly heavy database workloads), that’s not really true anymore, especially with a modern CPU and say, LUKS encryption. Phoronix has a recent review of FDE using LUKS, and apart from synthetic I/O tests, the difference isn’t really observable.
Try
cryptsetup benchmarkon your pc and look at the results for aes-xts for example.One obvious reason is that it just is very simple to encrypt the entire disk and be done with it.