Is encrypting the home folder enough?

[Lilmothiit]

When I installed linux mint on my machine I chose to encrypt the home folder. But I can't help but wonder - is this enough to protect my data from unauthorized access? Is this the same as encrypting the entire drive? And if I need to do something more to protect my data, what should I use? I have been looking at VeraCrypt lately, but I am not sure if that is my best option.

And while I am asking some specific questions, it would be sweet if this thread became something of a general security threat on how to protect yourself and your data while online.

[Moem]

Are you talking about local access, or remote access? Is this a computer that stays at home or one that travels with you? How secure is your living situation?

[GS3]

You need to understand a few security concepts. Encrypting your home folder "only" protects data at rest. If the computer or HDD is stolen they cannot access the data without the password but, while the drive is mounted it is completely open and transparent.

So you need to understand what you are trying to protect against before anyone can recommend any protection measures.

[Lilmothiit]

I am concerned with local access (unauthorized access by house mates, burglars, etc) for the most part, but remote access is something I also want to harden myself against. If for no other reason than to annoy anyone trying to hack me.

This computer stays at home, but I can't rule out wanting to take it with me if I were to travel interstate or abroad.

I consider my living situation to be secure as I live in an area where break ins are uncommon, and I put my laptop away when not in use. I don't lock it away, but it is put away. That said, I do have two house mates. I trust them, but you never really know...

I use password protected wifi when doing anything financial related, and I store all the passwords in a password manager (KeePassXC). I don't let any site remember the passwords for me!

If you need any more information, let me know!

[Lilmothiit]

Bumping to see if I get any more responses.

[now3by]

For protecting against data theft and unauthorized access you can use:
- FULL HDD/SSD real-time encryption with password at computer power UP ( you need BIOS and HDD/SSD firmware support and it will protect all data on HDD ).
- BIOS power on password. ( you need BIOS support ).
- Home folders encrypted. ( you need OS support and this is not the same as the full hdd encryption ).
- Password manager. ( SW support ).
- Encrypted containers and/or VB/VM. ( OS/SW support ).
...

For protecting your data/computer when it is ON & Online you need:
- Good Firewall with IDS for WAN/LAN ( OPNSense ).
- SW Firewall for computer ( UFW ).
- HW firewall for computer ( if it support AMT with Defense rules ).
- Encrypted containers and/or VirtualBox/Containers.
...

All this require some advanced IT knowledge and to respect all the time the rules of how to be safe on internet.

[Lilmothiit]

Looks like I would need considerably more IT know-how than I actually have. That said, there are things I can do, and that's better than nothing.

What is the easiest way to do full disk encryption with Linux Mint? Is that something you have to do when you install it, or can you do it at any point?

[Mute Ant]

"...the easiest way..." Use the built-in option to install with whole-OS encryption. One drive holding one encrypted OS.

Here's a few points to ponder...

o If you use encryption worth having, like LUKS, it works. You absolutely must not 'forget' the encryption pass-phrase. Without a valid pass-phrase the protected data is lost beyond hope of recovery. LUKS supports more than one pass-phrase for the same data.

o There is a heavy calculation overhead reading and writing encrypted data, comparable to playing a commercial DVD. If you use encryption, an adequate CPU will get hotter, an inadequate CPU will appear slower. Either way, encryption will reduce the useful work done by one charge of a battery-powered computer.

o Having all your files duplicated in a safe place is a good start, but not instantly useful if something goes wrong with the encryption system. You have to be more-than-normally prepared for the whole drive being suddenly blank next time you try to use it. That might be a relatively small encrypted drive... 64GB say... imaged into the file-system of a relatively large... 1TB removable drive. An encrypted OS does not 'zip' very much at all, so there's no benefit using compressing methods.

o Encryption and LVM add two more 'firmware' weak-spots where the OS can fail. Normally there's only Partitioning and File-system.

[GS3]

Full Disk Encryption (FDE) requires that the hard disk and the mobo support it but it is completely transparent to the OS and does not put any more work on the CPU or the OS because the HDD itself does all the encrypting and decrypting. The OS does not even know it's happening. The BIOS/UEFI supplies the HDD with the password at startup and from there on it is completely transparent. It protects the information on the hard disk once it is powered down but as long as it is up and running it is open to the OS and any attacks which come that way.

I would say this is the highest level of possible disk encryption. Change the password on the HDD and you have erased all information. Gone forever. No need to format or delete anything.