Originally posted by Estranged1906
View Post
Announcement
Collapse
No announcement yet.
Fedora Workstation Aiming To Improve Encryption, Possibly Encrypted Disk By Default In The Future
Collapse
X
-
Originally posted by avis View PostI'm 100% against encryption being enabled by default.
Why? Forgetting your encryption password or simply dying unexpectedly (which unfortunately happens to people) results in losing all the data. Far too many people never bother making backups, and in a perfect world you must have at least two copies of the data in physically separate locations.
Those who understand the risks could have enabled encryption for years if not decades.
Encryption is a bloody curse.
- Likes 6
Comment
-
Originally posted by avis View Post
Benefits? Your peers cannot see your data, your porn habits, etc - that is of course if they cannot sniff out your password which is all too easy if you live with someone.
All the x86 CPUs released in the past decade support HW AES encryption/decryption, so the performance impact is minimal.
What I also don't like about it is that it seems prone to complications for various reasons like the example in the comment above. So I hope Fedora will have a simple switch to disable encryption in the partition setup before installation (not having it buried somewhere in Anaconda's advanced partition setup which is horrendous).Last edited by user1; 04 April 2023, 06:14 AM.
- Likes 2
Comment
-
Originally posted by dylanmtaylor View PostI'd like to see Ubuntu enable encryption by default too. Whether we like it or not, it's kind of the "default" Linux that most people start with, and more security by default will benefit a huge amount of people and the ecosystem as a whole.
Comment
-
Originally posted by SpyroRyder View Post
They definitely shouls though i do wonder by how much theyre still the default these days. There arent that many places stil singing their praises like in the old days, or at least not to the same degree. Im not tied into the newbie scenes these days so im not sure whats bouncing around the schools but a lot of the discussions i had with friends who were new to linux over the last 5 years tended to be more the more system tinkery/gamer sort that tried a variant of Arch
When you use Not Arch and read the news, Linux tends to suck due to how restricted or limited you can feel/become when using either older or more locked down distributions. You read about all these neat things but you have to wait for the next release of Not Arch to use it. If you're using Arch it's a lot easier to try those things out, especially when combined with snapshots in case stuff happens.
To put that into some perspective: I'd really consider using a distribution like Cent if they switched to Pacman and included the Arch Linux tooling. Stable base with powerful and easy-to-use from-source tools. Yes Please. Rolling release isn't always a desired environment while "stable with the option to pull in some bleeding edge" can be a more preferred environment. Also, the 90s and Dependency Hell are on Line 2.
- Likes 2
Comment
-
Originally posted by Turbine View PostI guess. But they better make it easy to mount in liveboot and recover. Linux distros have a hard time mounting ntfs drives and network locations still in 2023. Currently it's working on my pc, but I know fedora failed last I used it.
Comment
-
Originally posted by avis View PostI'm 100% against encryption being enabled by default.
Why? Forgetting your encryption password or simply dying unexpectedly (which unfortunately happens to people) results in losing all the data. Far too many people never bother making backups, and in a perfect world you must have at least two copies of the data in physically separate locations.
- Likes 3
Comment
-
Originally posted by makitso View PostThe problem is dual-boot systems. I can only encrypt /home and swap.
Originally posted by ll1025 View PostIf you don't make backups, losing your data is a when-- not an 'if'. Encryption's contribution to that problem is insignificant.
Last edited by Anux; 04 April 2023, 08:09 AM.
Comment
-
Originally posted by Sonadow View Post
Like my former employer who mandated that all Windows laptops have Bitlocker enabled...then proceeds to blame ME for not being able to recover any data from a bunch of SSDs after a number of laptops died and the staff forgot their Bitlocker password.
Encryption is a bloody curse.
Encryption needs to be done right. "Done right" includes using a password you can remember, and if you can't remember it using a shorter password. If you're managing a fleet, then you should probably do the research to learn how to manage bitlocker deployments. Tip: you can escrow the keys in your directory for trivial recovery. Don't blame microsoft, bitlocker, or encryption in general for your own ignorance.
But when done right it actually allows the security guarantees made by your OS to work.- No more DBAN; disk decommissioning just involves blowing away the volume key on your drive
- No concerns about offline OS tampering
- No trivial bypasses to the user login screen
- a right against self-incrimination that actually means something
@skeevy420 -- The big benefit in your case would be disposal. You don't have to deal with DBAN, you can just nuke the volume header and know your data is safe.
Encryption does not have to be painful. You can enroll your TPM as an unlock source so that the disk auto-decrypts, if it has not been tampered with.Last edited by ll1025; 04 April 2023, 08:11 AM.
- Likes 6
Comment
-
Originally posted by Anux View PostWhat does dual boot have to do with it? As long as you don't use TPM to store your keys and therefore have an encrypted EFI partition nothing needs to be considered for dualboot. Just encrypt your / partition and you're ready to go.
While your statement is true it also is totally disjointed from reality.
- Anyone managing a fleet should have some method of storing recovery info. Microsoft Account recovery, or a keepass file, or AD-integrated bitlocker recovery....
- Anyone using their encrypted laptop with any regularity will be entering whatever their unlock key is almost daily and so will generally not forget it
- Anyone managing either of these scenarios will, as a consequence of managing things, have an easy location for backing data up (Onedrive, Google drive, dropbox....)
- Home users who have none of those advantages can simply use TPM which is very reliable.
- Any "on by default" encryption system can mitigate the risk of failure by using the user's login password as an alternate for unlock
- Likes 3
Comment
Comment