For those who were wondering what the overhead was of FDE on a modern Linux kernel and modern processors with AES-NI built in Michael did some benchmarks on LUNKs fairly regularly, here is one from last year on a laptop running POP OS. https://www.phoronix.com/review/hp-devone-encrypt
Announcement
Collapse
No announcement yet.
Fedora Workstation Aiming To Improve Encryption, Possibly Encrypted Disk By Default In The Future
Collapse
X
-
Originally posted by ll1025 View PostAnyone managing a fleet ...
Anyone using their encrypted laptop with any regularity will be entering whatever their unlock key is almost daily and so will generally not forget it
Anyone managing either of these scenarios will, as a consequence of managing things, have an easy location for backing data up (Onedrive, Google drive, dropbox....)
Remember we are talking about encryption as standard setting. People will be using encryption without having checked what it implies to loose a password or even understanding what encryption is. I won't have to support them so I don't care, just saying this will not go well ...
Comment
-
Not so sure, I know many Linux and Win users not doing any backups. Most people I know that do backups regulary had a HDD crash in the past. Just me telling them what could potentially happen has never convinced anyone to do backups. And to be fair a large part of them never experienced data loss and probably never will. It's like wearing a helmet.
Comment
-
Please remember that the most common scenario is TPM-backed encryption which will work 99% of the time with no issues and that password would be a fallback for the 1%.
Is there an incredibly contrived scenario where someone loses data to a sane-defaults FDE solution? Sure. But it does not come close to outweighing the benefits for the overwhelmingly common usecases. Most people are using laptops, most people can benefit from some moderate degree of assurance that laptop theft does not lead to identity theft or OS tampering.
It is also not difficult for the OOBE/first boot process to pop up a screen that says "Print this page and put with your important documents", containing a recovery key. Again: A completely solved problem, given that Bitlocker has been doing this as a default for literally years with a far bigger deployment footprint.
Comment
-
Originally posted by Anux View PostYeah, those that doesn't understand the implications of encryption will most likely do something stupid and then complain in a forum.
Although I'm using FDE on all my devices since a long time, I would never encrypt disks for people without them explicitly asking for it. It even has potential to degrade your SSD faster (no trim with LUKS's standard settings).
Comment
-
I agree. I don't see much use for this on a desktop if you don't have much concern about it getting stolen. On a laptop, I think this is a must.
Originally posted by user1 View Post
Thanks. So yeah, pretty much like I thought - pretty useless for me as a desktop PC user and no one has access to my PC beyond me anyway.
What I also don't like about it is that it seems prone to complications for various reasons like the example in the comment above. So I hope Fedora will have a simple switch to disable encryption in the partition setup before installation (not having it buried somewhere in Anaconda's advanced partition setup which is horrendous).
Comment
-
Originally posted by archkde View PostThe correct solution to this problem is not to disable encryption, but to override the LUKS default and enable discarding through it. It's also not relevant to the solution Fedora prefers to implement, because Btrfs encryption does not rely on LUKS.
Originally posted by ll1025 View PostPlease remember that the most common scenario is TPM-backed encryption which will work 99% of the time with no issues and that password would be a fallback for the 1%.
Comment
-
Originally posted by Anux View Postbut it's not in the standard settings and atleast discard shouldn't be (leaking usage area). Although not a problem with FS based encryption.
Comment
Comment