LUKS (Linux Unified Key Setup)
Why not encrypt?
There exists countless options for data encryption, and cryptography itself is an amazingly complex topic. As we advance computers, seemingly strong passwords and encryption standards have grown weaker, and given enough time, many can be broken. I tend to encrypt things by default, on several levels, to achieve strong protection of my data. This helps me sleep better at night knowing that my machines and important information are kept safe, even if it should fall into the wrong hands.
To do this, I use the following strategy for my daily driver machines and external media, these are easy-medium difficulty to employ for the average end user.
1. Encrypt your Operating System during installation. From the get go when installing a new Linux Operating System (OS), I choose LUKS (Linux Unified Key Setup) to encrypt my hard drive. LUKS is recognized across nearly every Linux system and even other OS’s. Using LUKS means that each time you boot your machine, you will enter the password to unlock cryptsetup to access your hard drive content. Then you will enter the password for whichever user you want to login as on your machine. (If someone yoinks your hard drive, your standard username password does nothing to protect what’s on the drive, so having encryption is advised to prevent a thief from viewing your data)
2. Use VeraCrypt containers to store sensitive data on any device or external media. Some cloud services won’t recognize VeraCrypt container file extension. (file type)
3. Use Cryptomator, this is very similar to VeraCrypt, and is compatible with most cloud services as well, not just for locally stored data.
A VeraCrypt example screenshot:
Cryptomator example screenshot:
My own use case for encryption of my data looks like this:
As mentioned, I always use Full Disk Encryption (FDE) on my computers, this simply means I need to enter another password during boot, that’s it. I use LUKS for this in nearly every case, how to do this will vary slightly among the various Linux distributions. All of my USB, MicroSD cards and external SSD storage drives I encrypt the entire drive with VeraCrypt, or at least I’ll have a VeraCrypt container on the storage media. To view these files inside the encrypted drive/container, I have to open VeraCrypt software and ‘mount’ the encrypted container to view my data. At rest, no one can see the data inside the VeraCrypt container/drive. (Provided you are using proper passwords of 12+ characters, using all four types of characters), this will be incredibly secure.
On some large HDD storage drives, I will use LUKS, when you plug these into your computer and mount them, you’ll need the LUKS password you set to open them.
To view any VeraCrypt containers, you’ll need the desktop application installed. (works on Windows, MacOS and Linux) For Android, you will need an app such as EDS Lite (available on F-Droid app store) in order to create or view your containers on your mobile.
Cryptomator may be better liked by some since it is cross platform, not just on desktop like VeraCrypt, but also on mobile platforms including iPhone. It functions nearly identical to VeraCrypt, so learning curve is pretty soft here if you’ve used one or the other.
Another topic to consider when it comes to encryption, is not the stuff that you have locked down behind encryption, but what about… all of the other old external drives you have, or USB sticks laying around, that are not encrypted? This poses a large security risk if you have any sensitive data on those drives, make sure to clean up those old data storage devices.
Learn how to create encrypted volumes using VeraCrypt here:
