# Best encryption method for Linux ?

## LegionOfHell

I am looking for an encryption mechanism that isn't flawed...

(1) DM-crypt is unreliable because if you are using an SSD and you enable trim, it exposes information about the file system:? here is what the manpage says:

 *Quote:*   

>    WARNING: This command can have a negative security impact
> 
>               because it can make filesystem-level operations visible on the
> 
>               physical device. For example, information leaking filesystem
> ...

 

(2) Encfs is an abandoned project and has a flaw ?

(3) Cryfs is slow ?

I am taking a look at ecryptfs....Is this a reliable method ?Last edited by LegionOfHell on Sat Oct 31, 2020 8:33 pm; edited 1 time in total

----------

## szatox

I use LUKS (which is actually dm-crypt) without fstrim.

Undersizing the SSD (with hdparm) should enable it's firmware to trim released blocks in the  background without creating "holes" in the encrypted device, and without any explicit command from the system. I haven't stress-tested this solution though.

This comes with a warning though: modifying the hidden pool inside an ssd wipes all data on that ssd, so don't do that to any device which already holds any data

----------

## Hu

Trim exposes which blocks are currently free.  Whether this is a problem depends on your use case for LUKS.  If you just want to make accessing the data hard enough that your average burglar will give up and move on, this is probably not a problem.  Arguably, your average burglar will give up when he sees that the drive isn't Windows.  :Wink: 

----------

## figueroa

I don't want to discourage secure and safe computing, but does your use case even call for encrypting your drive? Encryption adds an additional point (or layer) of possible failure. It's possible that some users encrypt their entire systems when all that was needed was encrypting a file or two (or none).

----------

## NeddySeagoon

figueroa,

Yep, it comes down to defining the threat model then deploying suitable defences.

Always remembering xkcd.

----------

## Zucca

 *figueroa wrote:*   

> Encryption adds an additional point (or layer) of possible failure. It's possible that some users encrypt their entire systems when all that was needed was encrypting a file or two (or none).

 ^ This.

If I were to use encryption on my files then I'd encrypt /home. Which has been on my todo -list for a while. If I eventually manage to get a grip and do it, I'll use ecryptfs or maybe encryption provided by btrfs if it has been developed by then...

----------

## 389292

I disagree with the people above, I think encrypting file or two is never enough for most people. Personal finances, projects, photos (Hunter Biden cries silently in the corner), password database, majority of your documents, diary, browser profile, just to name a few of the things most would not want to be accessed by someone else. In some countries even a text document about Molotov's cocktail creation can put you in trouble. In Russia hentai = child pornography. They don't apply this law often, but if they do, good luck clearing your name, or even keeping your life in prison if you go to one. Encrypting on file by file basis becomes tedious. I think full disk encryption on any CPU with AES hardware accel. should be like a base-line, except for Australia, where not giving away your encryption key = automatic jail sentence for you... 9th place in the democracy index by the way  :Very Happy: 

----------

## szatox

Full disk encryption is definitely the way to go. It gives better protection (you won't shot yourself in the foot with unencrypted /tmp for example: "opening" files from the internet with an external application), it's easier to setup, and it's easier to use than anything more specific. There simply is no downside* to it.

 *Quote:*   

> except for Australia, where not giving away your encryption key = automatic jail sentence for you... 9th place in the democracy index by the way

 A democracy is a tyrannical system in which the vocal minority oppresses everyone else, so I'm not surprised  :Laughing:  **

* except for Australia, where you need a container you can quickly drop and trim.

** because the silent majority is too busy going about their lives to outvote the few dedicated parasites.

----------

## dmpogo

 *szatox wrote:*   

> Full disk encryption is definitely the way to go. It gives better protection (you won't shot yourself in the foot with unencrypted /tmp for example: "opening" files from the internet with an external application), it's easier to setup, and it's easier to use than anything more specific. There simply is no downside* to it.
> 
> 

 

Just keep your password handy when you cross into US and they want to inspect your laptop  :Smile: 

----------

## The Main Man

 *Zucca wrote:*   

> If I were to use encryption on my files then I'd encrypt /home. Which has been on my todo -list for a while. If I eventually manage to get a grip and do it, I'll use ecryptfs or maybe encryption provided by btrfs if it has been developed by then...

 

Same here, I never had /home partition though, I just used / for everything.

I don't plan to reinstall gentoo but I'm thinking about making 100gb partition, use Luks to encrypt it, mount that as /home and move everything from current /home to that partition.

I guess that would work.

----------

## The Main Man

Well, I did it, /home is on a separate partition and I used dmcrypt on it.

Works surprisingly well, everything is nice and smooth.

----------

## szatox

kajzer, and now you think your data is secured, but you're still going to leak it via /tmp and swap. And /var. And maybe something else too.

So... Yeah, you can argue it's better than nothing, but if your device is stolen, you might still lose your bitcoins too. Or leak a few dozens of passwords to various online accounts.

----------

## The Main Man

I don't think it's secure, I just tried it because I always thought about doing it and how will it perform.

Getting experience I guess.

I have nothing on my drive that is super secretive  :Very Happy: 

----------

