Hacker News new | ask | show | jobs
by blakeyrat 3454 days ago
> but I do need to close down/reboot a couple of times a day otherwise no point in encryption.

Given, I'm not a Linux user, but I don't understand this at all.

On Windows, encrypted is encrypted-- the lock screen is exactly as secure as the login screen. Are you saying that in Linux the lock screen is easily-bypassed? So you have to keep your computer logged-out when you're in a place it might get stolen?
2 comments
criddell 3454 days ago
> On Windows, encrypted is encrypted

Wasn't there a recent story about how Windows is storing keys so that it can wake up in the middle of the night and apply updates? I thought that the conclusion was that locked isn't as secure as logged out.

link
keithpeter 3454 days ago
I believe that would be 'encrypt my home drive' on Linux, then you basically log out to protect files. Not sure though.
link
blakeyrat 3454 days ago
What I'm not understanding is why logging out or rebooting is required to keep a computer with full disk encryption secure. That's certainly not the case on competing OSes like Windows.
link
tlikonen 3454 days ago
Usually in Linux the system is installed on an encrypted filesystem (cryptsetup, LUKS). Only kernel and so called initrd image (early boot stuff) is outside the encryption. The disk is opened at very early stage in boot when just about the kernel is loaded. Thus, the encryption is open whenever the operating system is running. Everything is of course still transparently encrypted on disk but the "lock" is open. One must shut down the computer to close the filesystem's encryption.
link
keithpeter 3454 days ago
"Then click Install Now, and follow the rest of the instructions until you get to the “Who are you?” page. Make sure to choose a strong password — if someone steals your laptop while it’s suspended, this password is all that comes between the attacker and your data. And make sure that “Require my password to log in” is checked, and that “Log in automatically” is not checked. There is no reason to check “Encrypt my home folder” here, because you’re already encrypting your entire disk."

Above quote is from the section titled 'How to encrypt your disk in Linux' on the page at

https://theintercept.com/2015/04/27/encrypting-laptop-like-m...

I'm just a bit confused about how Windows can remove keys without messing up file handles &c when suspending to RAM.

The level of security I have now is adequate to my purpose but certainly something for others to take into consideration. Thanks for posting.

link