‹ back home

How disk encryption works

2021-09-03 #desktop #linux #security

Note: this article avoids being too technical and is rather geared towards non-technical users.

Without disk encryption

Historically, computers used to ask you for a username and password after you turned them on.

This was mostly an authentication mechanism to prevent strangers sitting in front of your computer from using it. However, they could still open the computer, remove the disk, and access all your information without further obstacles.

The password prompt was a soft protection, akin to a security guard outside the entrance to a room with an open window on the other side. The guard keeps out the polite ones coming in through the door, but does nothing for those crawling through the window.

For laptops, this is especially worrying; if you lose your laptop, the new owner could access any of its contents. Skipping or changing your user account password is trivial.

Any photos, banking passwords, message history, business plans, etc, are all very easily accessible.

Encryption

Encryption in this context can be summarised as “scrambling your data so that only someone with the decryption key can access it”.

The “key” is usually based on a password / passphrase for which you’re prompted at startup. This varies a bit per operating system and implementation:

A noticeable outlier is Windows Home (including Windows 10 Home). Microsoft is of the stance that private individuals have no important information on their systems, and have no need for privacy, so only includes this feature in Windows Pro, Enterprise and other [expensive] tiers.

However, outside the Windows-bubble, disk encryption has been widely adopted for over a decade.

Less-secure encryption

Some systems also encrypt the entire disk, but store the key on the device, and use other specialised hardware to attempt to prevent strangers from using the device or accessing the key.

These tend to be more secure than nothing, but are less secure than a key derived from a passphrase, since they give attackers a new attack vector.

Multi-user systems

There are really two ways disk encryption can happen:

The first tier (FDE) is the safest and most solid. Nothing is readable by a stranger holding your laptop. However, the whole device is encrypted with one key, so if two people use the same device, then they share the decryption key, and one can, ultimately, steal the other’s private information.

Home encryption however, encrypts each user’s profile (their “Home directory”) with a different key. This means that if two people share a computer, there’s still no way for one person to read the other person’s information. This is good in families, but even more so when sharing devices in work environments.

Home encryption does have some caveats: it’s more complex, and your base system is decrypted, which can results in someone snooping what’s installed, and other curiosities, but they won’t be able to access any private data. Other mechanisms are also needed to prevent someone from tampering with your operating system (if they have physical access to your computer).

Conclusion

Turn on disk encryption on all your devices. There’s no reason not to do so, unless you’re fine with strangers having full, unrestricted access to any data you keep on them.

Full disk encryption is best for a single-user device, or devices where you blindly trust other users. Home encryption is best for shared devices.

Have comments or want to discuss this topic?
Send an email to my public inbox: ~whynothugo/public-inbox@lists.sr.ht.
Or feel free to reply privately by email: hugo@whynothugo.nl.

— § —