Beginners • Re: To encrypt or not to encrypt?

A system with an encrypted rootfs can boot unattended if the unlock key is on a 2nd USB disk/stick/whatever on the system. But leaving the key disk on the system obviously creates an exposure if someone takes your personal data AND the key disk. You can also unlock it via SSH secured by a key in addition to, or instead of, the key disk.

The performance hit for an encrypted disk will be higher on a Pi4 than on a Pi5, since the Pi4 doesn't have the encryption instructions in hardware, while the Pi5 does. Will you notice the performance hit? It depends on what you're doing, so only you can decide that.

I created a tool to encrypt a RasPiOS/Debian/Debian-derivative system's rootfs, and I don't run ANY of my systems with encryption. Your "From what I read" summary pretty much explains all the reasons why I don't.

That said, if you are still interested in disk encryption, or want to encrypt a disk to evaluate the performance hit yourself, have a look at this page which documents one way to get that rootfs encrypted, and also includes some raw performance data backing my performance comment above. It can be used on an existing rootfs or when building a fresh new disk.

Statistics: Posted by bls — Tue Oct 15, 2024 1:35 pm

---