Encryption - Do you encrypt the data on the disks?

Zitat von lolek

of course he won't take only the drives but the whole computer. Then depends on the type of the thief if he's aware what he can do with the data.

LOL, if a thief comes in my place.. His concern won't be the drives computers he's leaving with it will be how much lead he's leaving with.

Just to prove that luks has a cost especially on lower power systems like an RPi. I ran a test on 4GB RPi4 with a 256GB msata ssd and writing zeroes and random to an ext4 image file and ext4 on luks image file.

aaron@rpi4k:/mnt $ sudo dd if=/dev/zero of=test_noenc/test_zero.dd bs=1M count=1750 conv=fdatasync && sync
1750+0 records in
1750+0 records out
1835008000 bytes (1.8 GB, 1.7 GiB) copied, 8.0214 s, 229 MB/s
aaron@rpi4k:/mnt $ sudo dd if=/dev/zero of=test_enc/test_zero.dd bs=1M count=1750 conv=fdatasync && sync
1750+0 records in
1750+0 records out
1835008000 bytes (1.8 GB, 1.7 GiB) copied, 11.4297 s, 161 MB/s
aaron@rpi4k:/mnt $ sudo dd if=/dev/random of=test_enc/test_random.dd bs=1M count=1750 conv=fdatasync && sync
1750+0 records in
1750+0 records out
1835008000 bytes (1.8 GB, 1.7 GiB) copied, 18.5716 s, 98.8 MB/s
aaron@rpi4k:/mnt $ sudo dd if=/dev/random of=test_noenc/test_random.dd bs=1M count=1750 conv=fdatasync && sync
1750+0 records in
1750+0 records out
1835008000 bytes (1.8 GB, 1.7 GiB) copied, 15.0412 s, 122 MB/s

Zitat von lolek

of course he won't take only the drives but the whole computer.

A Laptop, maybe. (They're very portable.) A work station, possibly, but that's much more remote. (Too many components to remove. There are other more lucrative items, that are portable, to steal in the typical house.) A headless server in a closest somewhere? On the criminal side of it, that's unheard of.

The FBI and other 3 letter Agencies are another matter. If there are fears along those lines, trust me, they WILL get pass your drive encryption. The only protection, in that case, would be a minimum of 1 pass (preferably 2 or more) of Darik's Boot and Nuke. (But that gets into obstruction of justice.) Even the 3 letter Agencies would attack a server over the wire. There's less effort involved, man power wise, and it's more efficient.

Zitat von lolek

Then depends on the type of the thief if he's aware what he can do with the data.

Again, "theft" is about "money". Organized crime wouldn't be interested because there's nothing of sufficient value on the typical home server that would make it worth physically breaking in to steal it. They're going to get anything they want "over the wire" when a drive(s) is unlocked.

On the other side of the crime front, the average B&E thief is an idiot. All they're interested in is what their fence will give them cash for.

If you want real security, as in "personal privacy" matters, keep your banking documents and other financial information, along with sensitive personal records, on a thumbdrive or other type of USB connected drive then unplug them (and lock them up?) when you're done. It's really hard to hack the air-gap, even for the 3 letter Agencies.

With that said, obviously, you can do what you like.
__________________________________________________

But I would caution the typical user against using drive encryption because of the perceived benefit of "security". Drive encryption only protects against physical theft. Physical theft is not, or at the least is "very rarely", the way data is compromised.

On the other side it, the down sides of drive encryption (which may complicate or eliminate many of the avenues for data recovery) out weight the highly unlikely chance that a home server will be physically stolen. Drive encryption can (and does) create issues during boot up, when services attempt to run while drives are still locked.

Zitat von lolek

I have no idea what are you talking about. I have had never ever any problems with it. I'm using full disk encryption everywhere even on OMV including system disk.

encrypting the system disk actually helps because nothing starts until it is decrypted. And usually the system disk and data disk get decrypted at same time avoiding the issue. When you don't encrypt the system disk, it fully boots and won't wait forever for the data disks to be decrypted. When this happens, services try to start but their data filesystems are not there. There are many, many threads about this on the forum. This is by no means a rare problem. If you stack lvm or mergerfs on top of that, it makes it even worse.

Zitat von lolek

I have no idea what are you talking about. I have had never ever any problems with it.

You have to keep in mind your experience, a single instance, applies to the way you have your server configured. There are thousands of OMV users who have several different software configurations. There are plenty of examples, on this forum, of home users that have had issues with LUKS, in their configuration.

A good number of those users are looking for a "perceived" security benefit, but the reality is they're protected from a 1 in a 1,000,000 (or more) chance that their server might be stolen. When looking at the equation, clear eyed, there's little to no tangible benefit of using LUKS on a home server. "That" is what is I'm trying to impart to forum users who may read this thread. In your case, as I said before, you can do as you want.

Zitat von bunducafe

Of course encryption comes with the cost of having to put a little bit of effort once your machine is booting up - for me that is a non issue and doesn't take too much time at all:

Herein lays the issue:
New users don't understand "the cost". They expect LUKS to simply work, transparently, with no considerations. The typical new user has as much understanding of LUKS as they do of RAID. (Which is to say, they don't have a good understanding of the intended purpose of these packages or how they work.) Often they install them based on an inaccurate perception gained from a video or something they've read on-line.

In both cases (LUKS and RAID), when users run into issues, they post here. On the other side of that coin, if they have a better understanding of what they're installing, perhaps they won't install those packages. That's the sole reason why I posted in this thread - to underscore that the ONLY protection LUKS provides is against physical theft, versus the potential for issues during boot up which are far more likely .

Zitat von lolek

just switch to FDE (Full Disk Encryption) and you don't need to restart merger fs etc.

Isn't FDE using LUKS?