I don't think there will be a lot of people claiming that. Encrypted is better. The thing is that the option for full disk encryption is only offered during setup. Nowhere else do you find anything in the mainstream distros where you can do anything with FDE.

My partitions are unencrypted. Not because I don't believe in encryption, it's precisely because I know encryption works. Linux distributions can be quite rickety at times. So far I just don't trust distributions to implement FDE in a way that gives me the confidence that I will always have access to my own files when I hold the key to unlock them. While I have nothing that is particularly valuable to the outside world, there are a lot of personal files that I would like to just keep acces to.

I just don't have the time nor the inclination to become a Linux enryption expert, just so my unexceptional files can be stored a little more securely. I might be way off base, but it is how encryption is presented in distributions that very much feel like an afterthought. Unencrypted I just need a working filesystem driver and I can access my stuff. With encryption I just don't know.

Just quoting this, but it seems a semi-common sentiment here. There are a number of countries where being a dissident is a one-way ticket to a reeducation camp, where the state has ample computer security expertise, and where your laptop may disappear at customs for some period of time before being brought back.

The fact that the FDE on linux prevents casual copying is irrelevant, an attack scenario from the 90s. Far easier to simply insert code into the bootloader which

1. Hides its function
2. Records the FDE key or user password
3. Modifies the OS to send this information at network initialization

I have no doubt that there will be responses here that this is far-fetched Mission Impossible nonsense, who have been so embedded in Linux for so long that they are unaware that such bootkits are straight out of everyday Windows XP life in 2010. I used to do volunteer computer security work for "undesirables" headed to such countries and on multiple occasions found bootkits that affected OS function.

I rather suspect that the responses to Poettering's post here are going to be divided into those who have used MacOS FileVault and/or Windows Bitlocker-- and who generally agree with Poettering-- and those who are ignorant to what a proper, scalable, usable, and effective FDE looks like.

I like to keep things simple. That's why my standard setup is a 512MB boot partition and the rest of the drive is a LUKS encrypted BTRFS partition. Even my swap space is in that encrypted BTRFS partition because you never know what might get written to swap. Sure I know it would be vulnerable to an evil maid attack, but I don't think that's particularly difficult to defend against. And if I ever get malware that would write to the boot partition then I've already lost because I've allowed malware to run on the system.

Personally I've always been uneasy about using a TPM for encryption. When your encryption implementation is completely open source software like LUKS, you know that lots of eyes have looked through its source code for vulnerabilities. But you can't easily see that your TPM chip was made properly and without vulnerabilities or backdoors. That reminds me of how Microsoft's Bitlocker had been using hardware-based encryption if the drive supported it, but they had to change back to software based encryption because the security implementation of many drive manufacturers was so horrible (of course they still rely on the TPM).

Interesting that he names ChromeOS separately. I mean: Android is up for discussion, but ChromeOS is underneath it all just a Gentoo spin, so that *is* true Linux.

Seriously, what are you smoking?

I have a mix of systems, with my primary system being a laptop with Win 10 and a bunch of older systems running different distros. How is the data on my Win 10 laptop "in the hands of corporations"?

Do you really think that Win 10 is secretly uploading 2tb of constantly clanging data to MS' servers without me noticing the network traffic.

Sad thing is that 13 people actually upvoted your absurd comment.

If you're using Windows 10 the way that Microsoft intends, your login account is linked to your cloud account. Sure Windows 10 is not uploading 2TB of data (unless you put it in OneDrive). But who knows how secure your cloud account really is?

Besides that, Windows 10 is constantly sending lots of information about usage to Microsoft. Even if they're not getting your top-secret information, they're still getting much more information about you then they deserve.

Yes, totally agreed. LUKS is an overcomplicated patchwork that novice and most of the time even advanced users just don't wanna touch. With random shortcomings like luksChangeKey being bugged (as in not working at all) on 20.04, various "formats" (v1 and v2), different userspace tools, it's just ridiculous.

On Windows it's literally just right click on drive C, enable BitLocker, reboot, you're done. It's a different world.

I have no doubt that disk encryption on Linux is far from perfect but these people who go on to say that a person would be better off using Mac OS or Windows lose all credibility in my eyes. Even if disk encryption may be better on those platforms the amount of privacy and security you would give up in other areas is far worse. It's like the Graphene OS folks who say that stock Android would be better than say /e/ OS because of feature XYZ but fail to mention the amount of privacy you give up on stock Android in comparison. Basically they had a sound point that now looks crazy because they went off the deep end with it.

How exactly do you install a keylogger on an encrypted drive?

Microsoft sells OneDrive subscriptions to private individuals, businesses and government bodies. You seriously think they would even be able to sell to the latter two segments if OneDrive was ridiculously insecure and could be easily compromised?

Everybody loves to make wild allegations about how "<insert name of commercial cloud storage provider> is insecure", and yet can never ever provide any concrete examples when challenged to "provide indisputable proof to show that <insert name of commercial cloud storage provider> is insecure".