Krdytkyu

I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?

I thought the same thing, which is how I found your question.

But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.

So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.

Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.

It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.

Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.

Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.

Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.

Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.

Let me answer the question first and then propose an option for encryption at the lock screen.

You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.

Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.

A lock screen encryption option:

If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...

#-------------------- Setup --------------------#

dd of=~/encrypted-fc count=0 seek=1 bs=1G       # bs should reflect maximum desired 

                                                #   container size. This command creates

                                                #   a sparse file that will grow

sudo cryptsetup luksFormat ~/encrypted-fc       # set up file container encryption

sudo cryptsetup luksOpen ~/encrypted-fc enc-fc  # decrypt the file container

sudo mkfs.ext4 /dev/mapper/enc-fc               # create a file system in the container

sudo cryptsetup luksClose enc-fc                # lock (encrypt) the file container



#--------------------- Usage ---------------------#

sudo cryptsetup luksOpen ~/encrypted-fc enc-fc    # decrypt the file container

sudo mount /dev/mapper/enc-fc /your/mount/point   # mount decrypted container



sudo umount /dev/mapper/enc-fc                    # umount decrypted container

sudo cryptsetup luksClose enc-fc                  # lock (encrypt) the file container

I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.

But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.

Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.

So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.