[archerx]

Maybe I’m an outlier but I don’t want my drives encrypted at all. I rather have all my data be accessible if things go catastrophic, I.E. having to pull the drive out of a broken computer and put it in another computer to access the files. I just want it to be plug and play.

[Glohrischi]

My harddrives (laptop, work laptop, desktop, server) contain emails, browser sessions, saved passwords, personal data from family and friends.

I do not want someone stealing my laptop on a train ride potentially being able to have all of that data.

With a proper real backup strategy, i have everything save. I do not need easy access to a hard drive from a broken computer.

But hey you do you :)

[xingped]

Cool. Everyone's threat model is different. As long as we're not writing passwords on sticky notes attached to the monitor, I don't think there's any need to be throwing stones.

[pyrale]

> Everyone's threat model is different.

Everyone's threat model is different, but some are better than others, and maybe we shouldn't equate taking time to explain why with throwing stones.

[lachiflippi]

Sensitive data written down on a sticky note is arguably more secure than that same data sitting on an unencrypted hard drive, at least in a home setting.

[brookst]

Hey now, I use rot13 on my sticky notes.

[loneboat]

Gotta bump that encryption up - rot26 is twice as secure.

[harshreality]

Secure rot* variants require UTF-8 and mappings that shift characters between {1,2,3,4}-byte encoded-character-sizes. That varies the message length, which prevents any message-length or traffic analysis.

The Snowden leaks revealed that the NSA is flummoxed on how to tackle variable character lengths. However, they've cracked rot26 using custom ASIC supercomputers, so it should be considered insecure even though it's twice as good as rot13.

[Glohrischi]

I did not throw a stone, i only clarified my counter position for others to understand why I encrypt.

[NBJack]

Are you saying you bring your desktop on a train ride as well? Laptops with encryption make sense; if you need to encrypt your desktop, I have questions.

[Glohrischi]

I have one safety concept for everything and not random ones for random devices.

Every machine is encrypted, unlocked per login.

Encryption is basically free so.

[saltcured]

I would. It doesn't even require theft. The naive burglary mitigation is just a happy accident.

I want the crypto-shredding retirement of each storage device. I don't assume I can delete/scrub/overwrite at the time a device goes out of service. I have a box of older HDDs that I still have to get around to destroying properly, because they exist from before the days of practical FDE.

[fortran77]

I encrypt my desktop. What if someone breaks in and steals it? My tax returns are on there, banking and investment info, etc. And what if I'm careless about disposing of an internal drive in an old machine that's in the closet, etc. I usually drill or sledge drives, but what if I forget? Encrypting all drives makes sense.

[rpdillon]

My inference machine is the only drive I leave unencrypted, but that's because it has the models on it, llama.cpp, and nothing else, and I want it back up and running services after a power-failure. My other desktops are encrypted to make hard drive disposal easy.

[The_President]

Simple hypothetical: "A disaster hits and the workstation owner is unable to return to the location the workstation is stored. During that time period the workstation is stolen by a gang of looters."

[treis]

Ah yes a typical Tuesday for me

[Glohrischi]

I'm not getting insurance for the normal case. I get insurance for the bad cases.

The good thing though: the effort is low. You think through it once and you have your encryption and backup strategy for a long time.

I have a NAS System which only runs when i need it, i scrub every month and that basic setup is the same for the last 12 years.

[msh]

Burglars are a thing.

[JoshTriplett]

Also a reason to have off-site backups. Many people have done backups to local servers, only to discover that they have no way to recover their data because thieves stole everything.

[archerx]

My data is mundane and mostly my art projects and photography. I don’t believe I am important or interesting enough for someone to do anything with my data if they somehow managed to get it also I don’t have emails, saved passwords, banking info or that kind of sensitive info on my computers so meh I guess.

[majorchord]

> I don’t have emails, saved passwords, banking info or that kind of sensitive info on my computers

Then where do you have it? Notes on a post-it? Or is this a very specific definition of "computers"?

[hiq]

If "things go catastrophic" your hard drive is not usable at all anymore. At the very least some files can't be recovered at all. So you need backups in any case. Once you have backups, you might as well encrypt your hard drives, especially if you store these in different locations (which you should).

An advantage of encryption is that it makes it easier to give away or resell devices. With recent encryption schemes (well the ones on Linux, given this article), I feel confident that overwriting the encryption keys gets me close enough to not leaking my data once I get rid of an old hard drive.

[archerx]

That’s not true. I’ve had many computers that refuse to turn on and I was able to recover the files by removing the drive and loading it into a USB hard drive reader and recover the files.

[hiq]

I sure envy you if this qualifies as "catastrophic", because hard drive can and do fail.

[The_President]

Additional problem is if physical access is obtained, illegal material could be covertly added to the drive then picked up by the built in scanners in your OS. Depends on how important you are.

[lstodd]

What's not plug and play if using some sensible fde like idk, dm-crypt? You are only a passphrase away from mounting that drive in any other system you plug it into.

[pessimizer]

That's my question, because my root is encrypted, I move encrypted disks all the time, and have a couple of encrypted external drives. It's trivial.

But I'm sure that some of the millions of things that I've missed as windows has become what it has become makes this simplicity seem like a scifi absurdity. I don't think that they can even log into their own computers without asking Microsoft for permission over the network. I'm sure the idea of encryption must have been overcomplicated to the point of absurdity in order to trap customers too, I just don't know about it.

I suppose you should just count your blessings (of ignorance) and be available to help your friends with cryptsetup if they decide to flee windows.

[deng]

But it's also plug&play for anyone stealing your laptop, see for instance

https://news.ycombinator.com/item?id=39941021

[mordae]

That's called LUKS2 and it's the default on Linux. You just type passphrase on boot. It's not tied to the motherboard.

[archerx]

What if you forget the passphrase after not using it for many years and you suddenly need a file on the drive?

[slashdave]

Print it on a piece of paper and put it in a lock box.

[Terr_]

Better still: LUKS allows you to set up multiple entry keys, so use two, either of which will grant access to the drive.

* Your preferred memorized passphrase and will never be written down anywhere.

* A random key you can print and store in a box somewhere.

Then if your backup paper gets lost, you can revoke/replace it without having to abandoned your memorized favorite.

[slashdave]

Yep. You can also put your key on a usb drive that can be read on boot.

Just choose a good quality one....

[Terr_]

A few ideas for extra security:

* Split the recovery key in two, store each half with a different friend. (If you're feeling fancy, XOR the halves and store that with a third friend, then any two out of three will work.)

* Sneak the key into something you know friends/family won't throw away while you're still alive, like stuck to the back of a sentimental photo in a frame.

____

That said, I think I'm wandering from the original "accumulating dusty old drives in a box" scenario, which has a simpler solution: Keep a growing old_drives_keys.txt file on your current (encrypted) main device.

[nickjj]

Yep, this is the way. It survives human memory and doesn't depend on software.

If you keep it in a dark environment that's not super humid the ink should last a really long time. Even in non-optimal conditions (NY summers with high humidity, etc.) I've had regular pen ink last for decades with no signs of fading away.

[skeledrew]

Same here. If anything happens I want a decent chance to be able to recover my data. The most I may do is create encrypted files, and some of them I've forgotten the passwords for, which makes me even more wary.

[rpdillon]

I was happy to give up my side-hobby of drilling drives after FDE became standard everywhere. Plug and play is great, but you don't want it to be plug and play for whoever pulls your drive out of the trash.

[jsmith99]

So long as you've backed up the key you can fairly easily decrypt on any machine.

[tekne]

I mean... you can use an encryption scheme compatible with this (if you know the password).

I suppose this makes some sense for home computers (burglars and police raids are rare) but for a laptop, you really don't want thieves getting all your details.

Ironically -- this probably was paranoid a few years ago, but now -- "ChatGPT, use this prepared prompt to extract all useful info from this hard drive"

[aniceperson]

the point is having a choice and the choice actually doing what it claimed.