monovergent

Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.

Possibly overestimating the value of the data entrusted to me, but whenever I see that xkcd, I like to think that I at least have the option to remain silent and die with dignity if I really don't want the contents of my disk out there.

I wish I found a guide like that back when I first made the move to FDE. Regardless, I was adamantly against reinstalling and painstakingly replicating my customizations, so I came up with a hacky way of tacking on FDE.

It went something along the lines of:

1. Shrinking the root partition as much as possible
2. From Live CD, dd root partition to external drive
3. Perform minimal encrypted install of Debian
4. From Live CD, open LUKS container of the newly-installed Debian and overwrite the root partition within with my old root partition.
5. Update fstab, crypttab, initramfs, and grub
6. Cross my fingers and reboot

It's been quite a journey:

• Posting accurate personal info to my Google+ account when I first signed up
• Signing in to Google on my phone and browser
• Using an Android phone from eBay of dubious origin
• Sending confidential info via email
• Using the same gmail address for everything
• Signing up for things with my real info when it wasn't necessary
• Handing out my phone number to loyalty programs
• Running hacked game APKs without checking for malware
• Using the User Agent Switcher extension on MS Edge, which was subsequently updated to include an infostealer
• Using browser extensions of unknown provenance

How to avoid:

• Ironically, Windows 10 started me on my privacy journey. Microsoft was in my face enough with privacy offenses that I began moving to Linux and investing time into my privacy.
• Don't post unnecessary info to social media.
• Never email confidential info.
• Use a password manager, or at least some organized text file if you have an encrypted disk.
• FOSS software is more available and user-friendly than ever, always look for a FOSS alternative.

Work and networking (people) makes fully ditching Google, Whatsapp, etc. a practical impossibility for me. So I have a laptop, tablet, and phone dedicated to those purposes and nothing else. I check them on a schedule that my colleagues are aware of, at locations I consider safe. Otherwise they are stowed away, out of sight, and out of mind.

The text editor shortcut on my taskbar runs a sort of autosave script in ~/.drafts. I wanted my text editor to function more like the one on my phone so I can just jot down random thoughts without going through the whole ritual of naming and saving. It creates YYYYMMDD_text in ~/.drafts (or YYYYMMDD_text_1 etc. if it already exists) and launches Pluma, which I also have configured to autosave every 10 minutes.

The other thing extends beyond Linux itself a bit. I like to joke that I have the most secure NT 4 / Windows 95 lookalike ever put together. Aside from the encrypted and hardened Debian base (/boot is also encrypted), I was in part inspired by Apple's parts pairing (yikes!). So my coreboot is configured to only accept my boot disk. If it's swapped out or missing, or if I want to boot something else, it will ask for a password. In the unlikely event my machine gets stolen, the thief must at a minimum reflash the BIOS or replace the motherboard to make it useful again. Idk, it amuses me every time I think about it.

Reminds me of a time in biology class

Q: What's a resource everyone has access to?

A: ~~Water~~

Skin.

My plan if something like that happens to me is to get a normie Android with a removable battery (like the Samsung xcover pro) and only ever power it on if I need to use those apps. Granted, not everyone wears pants with 6 pockets.

As someone who deals with Windows software and mobile apps of dubious provenance at a BYOD workplace:

• Get a separate device with sufficient horsepower to handle whatever work, school, etc. throws at it. Used ThinkPads and unlocked Google Pixels are a good bet.
• Pick a small and light laptop if you also need to have your primary one on hand. Preferably, both can use the same USB-C charger.
• Use that device for work-related things and nothing else. Assume it is compromised.
• Connect to a separate access point if you need to use it at home.

If a phone or tablet (preferably with GrapheneOS) will suffice, go for it:

• Recent Android and iOS versions have much stronger sandboxing than PCs and laptops in general. Spyware can still do a lot on mobile devices, but not nearly as comprehensively as on PCs and laptops.
• i.e. Commercial spyware can easily plant rootkits and kernel-level trackers on a laptop, but this would be much harder on an up-to-date mobile device.
• For Android devices that support it, limit work and MDM apps to a secondary profile and close that profile when not actively using the phone.
• Turn off cellular, wifi, bluetooth, and location when not actively in use.

If the offender is your partner, practice good digital hygiene, never let them touch your devices, and good luck.

Perhaps several years due to socks and shoes wearing out. The rest should last several decades, assuming I quit using the dryer.

It's nice getting a glimpse as to what fraction of Linux users are using disk encryption. Full disk encryption is becoming the default on mainstream OSes, but not in most of the Linux installers I've encountered. Always made me curious just how many people went out of their way to encrypt their Linux install.

I personally encrypt everything except for VMs already in an encrypted device or USB drives that need to work with non-Linux machines. It'd be interesting to hear what other people's reasons to encrypt their disks or not are.

Biolinum O for desktop

Liberation Mono for terminal