Today i took my first steps into the world of Linux by creating a bookable Mint Cinamon USB stick to fuck around on without wiping or portioning my laptop drive.
I realised windows has the biggest vulnerability for the average user.
While booting off of the usb I could access all the data on my laptop without having to input a password.
After some research it appears drives need to be encrypted to prevent this, so how is this not the default case in Windows?
I’m sure there are people aware but for the laymen this is such a massive vulnerability.
Same in Linux. No disk encryption and everything is easy accessible if you have physical access.
Unless someone ticked the “encrypt storage”-box in the installer, you don’t even have to pay for Pro to use it!
Physical access wouldn’t seem so hard. Say you worked at the company company and wanted to get the files your boss has on your evaluation or something. Wait till they’re on lunch, plug in a usb and pull them up.
I imagine patient records wouldn’t be encrypted either
Any respectable company with Windows would be using BitLocker - full disk encryption. It’s super easy to setup if your computer has TPM, fully transparent for the user in most cases.
such a “hack” would only work in a poorly written tv show
an unencrypted drive is like being able to look into a bank though a window, not ideal but things of value could/should/would still be in a safe or somewhere else completely
I imagine patient records wouldn’t be encrypted either
If computerised, they freaking well should be.
In general they’d be in a database with it’s own accesss control to interfaces and the databases data store should be encrypted. In my country there are standards for all healthcare IT systems that would include encryption and secure message exchange between systems. If they breached those they’d be in trouble.
If your doctor has a paper file in a filing cabinet on premises, written in English, then yes. The security is only the physical locks, just like your hme pc.
And this is why we say physical access is root access.
Absolutely it’s crazy that it’s so simple that you can do it in the space of 5v minutes.
Most Linux users run fully unencrypted drives as well. Its a vulnerability and a risk but its not a massive threat to the average person.
Idk if the average person is a laptop user but laptop users would definitely place a higher value on disk encryption.
This is not that big of a deal most of the time, since you are the only person interacting with your computer, but it’s worth remembering when you decide to recycle or donate – you have to securely wipe in that case. Also bear in mind, if you do encrypt your drive, there are now more possibilities for total data loss.
Oh, fun fact: you can change a users windows password inside Linux. Comes in handy for recovery, ie, user forgot their password.
I thought BitLocker was enabled by default on Windows 11, which is a terrible idea imo. Full disk encryption by default makes sense in professional settings, but not for the average users who have no clue that they’ll lose all their data if they lose the key. If I had a penny for every Windows user who didn’t understand the BitLocker message and saved the key on their encrypted drive, I’d have a lot of pennies. At the very least it should be prompted to give the user a choice.
This is true - it is enabled by default in win11. I disagree with you it being a terrible idea - imagine all the sentistive data people put on their hard drives - would they want to to fall in the wrong hands if they lose their computer? Or if their hard drives fails so they can do a secure wipe?
I’m not a fan of Microsoft, but they did solve the key issue in the enterprise setting by storing the key in they entrance identity. Same should be done for home consumers, since having a Microsoft account is being shoved in everyone’s throat anyway…
It’s a matter of perspective I guess. I’m not a fan of overkill security measures that get too much in the way of usability and risk creating problems for you, especially when physical access is a minor risk in most cases. I agree that having a Microsoft account to backup your key is a solution, but not a very good one since you trade vulnerability to a possible physical access that probably is never going to happen for the absolute certainty of your data being spied on by Microsoft…
Windows does not let you save the key to the drive being encrypted. (Unless you access it via SMB share, which I’ve done a number of times during setup before moving it off.)
You mean it prevents people from writing the key on a piece of paper when they get the BitLocker message, then copy it on a text file once their session is running and throw the paper away or lose it later ?
I’m happy that you’re on a journey of discovery. This is not an insult. The word is partition. Someone corrected me on the spelling of something last night. We all make mistakes.
(especially with reference to a country with separate areas of government) the action or state of dividing or being divided into parts.
Yes, any laptop without an encrypted storage drive will have its data accessible by someone booting from a live USB.
It really is a massive vulnerability, but it’s not well known because so few people even understand the concept of a ‘live USB’ to make it a widespread threat or concern.
So yeah, if you’re ever in possession of a Windows machine that doesn’t have an encrypted disk, you can view the users’ files without knowing their password via a live USB.
It’s also not limited to laptops.
While booting off of the usb I could access all the data on my laptop without having to input a password.
This is entirely expected behavior. You didn’t encrypt your drive, so of course that data is available if you sidestep windows login protections. Check out Bitlocker for drive encryption.
This is a case where Windows-bashing is hypocritical. Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).
It’s dumb and inexcusable IMO. Whatever the out-of-touch techies around here seem to think, normies do not have lumbering desktop computers any more. They have have mobile devices - at best laptops, mostly not even that.
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
It’s dumb and inexcusable IMO
No, it’s a choice, because:
-
History… encryption didn’t exist in the beginning. Upgrades won’t enable it.
-
Recovery… try telling the people that didn’t backup the encryption key - outside of the encrypted vault - that their data’s gone.
-
Performance… not such an issue these days, but it does slow your system down (and then everyone complains)
So, please continue to encrypt your data as you choose and be less judgemental on others, esp. anyone new
No excuses.
Blah blah blah. Unencrypted data is the wrong default in 2025 for any OS. Linux should not be a poor man’s OS.
It depends on your use-case.
Encryption of data at rest (this discussion) is mostly helpful for physical theft, so a device that never leaves the house, there’s little reason for encryption.
Similarly, on a lower powered mobile device, maybe you only want / need user data to be encrypted, and there’s no need to encrypt the OS, which keeps the performance up.
Maybe you want the whole thing encrypted on your high performance laptop.
So, it’s difficult to define a sane default for everyone, thus making it an option for the end user to decide on.
Linux has more choice than Windows - and the encryption algorithm(s) can be verified - so it’s definitely the better choice.
I will definitely say I wish encryption setup was a lot easier in Linux. Windows is like “wanna Bitlocker?” Done.
With most Linux installers, if you’re not installing in a very default way, and clicking that box to encrypt the drive, it’s time to go seriously digging. For a while.
I managed to encrypt a secondary drive with the same password on my EndeavourOS laptop, but I still need to enter the same password 2 times before getting into the OS.
I consider that a feat, and I’m not touching it for fear of losing everything lol.
Yes, I feel your pain.
Encryption drives sound like a good idea until the subject of unlocking them comes up… and automatically unlocking the drive for the OS isn’t really helping.
But, for user data, it can be unlocked automatically during login. The Arch wiki covers this.
But backup your data 😉
-
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
When is the last time you carried your desktop outside? Forgot it somewhere?
Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).
it’s usually an option in the guided disk partition
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
Linux is about choice, not whatever someone else thinks it’s acceptable
so how is this not the default case in Windows?
It actually is now
And people are pissed because they don’t realize, and when they don’t have the key any more, all their data is gone!
