ubuntu disk encryption question

[Ashley MLP Fangirl]

hello,

 

so i installed ubuntu on my laptop, and i ticked the encrypt disk and encrypt home folder options.

 

does this make it so that if someone steals my laptop, my data and files are safe?

[WWicket]

4 minutes ago, firelighter487 said:

hello,

 

so i installed ubuntu on my laptop, and i ticked the encrypt disk and encrypt home folder options.

 

does this make it so that if someone steals my laptop, my data and files are safe?

It makes it so they can't just plug in a live disk and view your files. There is still alot of ways they could access your data, for example, by guessing your password.

[SCHISCHKA]

16 minutes ago, firelighter487 said:

does this make it so that if someone steals my laptop, my data and files are safe?

as safe as USA government export restrictions allow. If the government steals your laptop I put good money they can crack it. If a random drug addict steals your laptop I bet good money they dont give a shit what is on there, and they will not go to any effort to try and decrypt your files

[Ashley MLP Fangirl]

okay, thanks!

[risk]

If you have any backups or use cloud services, they can probably get those.

 

Here's a interesting tidbit, when someone steals a laptop to get stuff off of it, they won't shut it down. It'll still be powered on and will have the keys in ram, preventing syphoning of those is important as well. The contents of the ram and keys can be grabbed while the ram is powered on and rest of the machine is asleep, I'm not sure if Ubuntu by default locks your volumes before sleeping - if not ... you need a couple of things....

Automatic updates - set to download but not install.

If your machine is older and still has FireWire, disable it, if you have thunderbolt and no vt-d either on chipset or cpu, look into disabling thunderbolt and using it as a displayport only. If you have vt-d look into securing thunderbolt using it. There's also some USB guard software that Ubuntu doesn't have by default, normally USB drivers load and the device and driver are trusted by the machine.

 

Since the machine wakes up from sleep, and it's running and has a network port probably, you need a firewall.

 

Make sure you have a firewall setup to drop all incoming packets except ones belonging to previously established outgoing connections, and ones related to servers you intentionally want to run.

 

Drop all outgoing packets unless the source port is one of those ephemeral source port ones, or if they're related to connections to existing servers.

 

Drop traffic on 'lo', unless it's for a server you intend to run. That will make it harder to chain exploits, by not allowing an exploited app to bypass the firewall. Commonly I see people just accepting any traffic on lo - makes me sad... if you're a dev and need to test with localhost, just make a veth and put it in a namespace, don't use the public host networking stack.

[Ashley MLP Fangirl]

2 hours ago, risk said:

If you have any backups or use cloud services, they can probably get those.

 

Here's a interesting tidbit, when someone steals a laptop to get stuff off of it, they won't shut it down. It'll still be powered on and will have the keys in ram, preventing syphoning of those is important as well. The contents of the ram and keys can be grabbed while the ram is powered on and rest of the machine is asleep, I'm not sure if Ubuntu by default locks your volumes before sleeping - if not ... you need a couple of things....

Automatic updates - set to download but not install.

If your machine is older and still has FireWire, disable it, if you have thunderbolt and no vt-d either on chipset or cpu, look into disabling thunderbolt and using it as a displayport only. If you have vt-d look into securing thunderbolt using it. There's also some USB guard software that Ubuntu doesn't have by default, normally USB drivers load and the device and driver are trusted by the machine.

 

Since the machine wakes up from sleep, and it's running and has a network port probably, you need a firewall.

 

Make sure you have a firewall setup to drop all incoming packets except ones belonging to previously established outgoing connections, and ones related to servers you intentionally want to run.

 

Drop all outgoing packets unless the source port is one of those ephemeral source port ones, or if they're related to connections to existing servers.

 

Drop traffic on 'lo', unless it's for a server you intend to run. That will make it harder to chain exploits, by not allowing an exploited app to bypass the firewall. Commonly I see people just accepting any traffic on lo - makes me sad... if you're a dev and need to test with localhost, just make a veth and put it in a namespace, don't use the public host networking stack.

i always shut it down. my laptop has a really fast ssd in it, and boots up in 10 secs. it's only on when i'm using it... i'm not that crazy about securtiy, i just wondered how safe it was.