Ask HN: How do you encrypt your laptops?

78 points by codegeek ↗ HN
Read this story about lost macbook pro [0], I am wondering about the encryption tools for laptops. Even though a lot of work we do these days is on cloud (github/bitbucket/gitlab, dropbox etc), I still would hate to lose my laptop specially if unencrypted

[0] https://news.ycombinator.com/item?id=11759741

154 comments

[ 2.3 ms ] story [ 213 ms ] thread
I use Mac OS X FileVault2, with a firmware password. It's incredibly easy to set up and should be good enough to protect my data from the majority of thieves.

Coupled with encrypted Time Machine backups and Arq[0] I feel relatively ok about losing my machine.

[0] https://www.arqbackup.com

"I feel relatively ok about losing my machine." Does that mean you'd feel enthusiastic about donating it? :)
Thx. I am a relatively new Mac user and didn't realize this existed. Will try this. Any weird issues or edge cases to consider before turning this on ?
Yes. FileVault is awesome, but if your encrypted filesystem ever gets corrupted (which can and does happen), your encrypted data is useless and your volume is toast until it's wiped and re-imaged. Surprisingly I have never had this happen, but more than one friend has reported losing their data due to FS corruption with FileVault enabled. I suppose it can be mitigated with a solid Time Machine/backup routine.
Yep, happened to me and I've never used FileVault again.

I had a TimeMachine backup too but hadn't synced recently and ended up doing a bunch of hackery to recover the un-synced data :(

I much prefer 2FA & revocable certificates on remote accounts so I'm not worried about unauthorized access, and anything else important is encrypted independently.

I have used FileVault since it was released many many years ago. In the beginning there was a fairly severe performance penalty, but it's solid now. I highly recommend using it. On an SSD, at least, but spinning disks + FileVault is border line unusable IMO.
Just so you're aware, the firmware password on a Mac can easily be bypassed by anyone with an SPI writer. [1] Using a teensy and a chip clip, someone can clear the password or bypass the password check completely.

So, it will keep the honest out, but for someone who knows what they're doing, it will only prove a mild inconvenience.

This obviously doesn't help them bypass FDE, but in case they want to steal the laptop and not have a brick, the SPI writer works a treat.

[1] https://trmm.net/SPI_flash

FDE is not supposed to be an anti-stealing mechanism anyway.

Besides any potential thief wont even know whether you're running FDE or not on the laptop they steal, or whether it would be bricked or not. They can always sell it for its parts (screen, etc) anyway.

It actually is a mechanism to reduce impact of theft. Someone with access to your computing hardware might modify it to subvert the system, read keystrokes, decrypt drive, leak it, and so on. This can be as simple as Customs installing something as you leave the country during an "inspection" then reading keys right off when you come back. Not saying it happens so much as a concern we had during a brainstorm. Or someone plugging in an attack tool into your Firewire port while you take a piss at Starbucks. Or you plug in USB drive they dropped with a radio and attack kit in its connector.

Whereas, if someone straight-up steals it, they have no chance of recovering data if the encryption is strong and key isn't in memory (eg cold boot). You can also transmit media through untrusted channels that way. Even NSA's Inline Media Encryptor, which my inspired my designs, has that use case.

>It actually is a mechanism to reduce impact of theft.

Sure, but that's different from anti-stealing (and I mean stealing the machine of course, not the data).

I did not know that, but at least they can't get my data. The machine is costly, but my work is much more so!
I use FileVault too on the laptop and it's fine. On the desktop it bogles the Blutooth (el capitan) and related devices (keyboard/mouse) which is VERY annoying.
I just use Truecrypt 7.1a, and encrypt the entire drive, so it requires a password before booting.
Does this affect performance? Esp for things like photoshop?
I don't use photoshop, nor can I offer anything other than my perception but I haven't noticed performance being reduced in any way.
As for performance, per DiskCryptor's wiki (windows only): "On the Intel Core 2 Quad Q6600 CPU, data encryption speed amounts to 104 MB/s per core. The maximum speed of reading the data from a single hard disk equals to 80 MB/s so it can work with up to 5 different disks without loss of performance, when using the aforementioned type of processor. In case if your disks are not operating under a constant high load, then it is possible to work with even higher number of disks, and on a weaker system, without losing the performance."

I would assume this is true for all encryption schemes. But, really the most advanced stuff runs on linux based machines, I would proffer.

I use Photoshop daily, and play some Steam games once in a while. My laptop is an ultrabook with a SSD. I can't see any impact on performance. If there is an impact, I'd need to setup benchmarks to identify it.
Oh that sounds cool.. Have u tried any other fork of truecrypt?
Yes that's what I do too and my external drives are also encrypted with it and use the same password. So one password on start-up mounts those as well and always to the same drive letter.

Having all memory sticks encrypted makes for wonderful peace of mind.

What laptop do you have? Truecrypt doesn't support UEFI which seems to be the only option every laptop has these days.
Samsung Series 9. It's almost three years old now, so that explains the lack of UEFI.
I use FileVault on my MacBook and LUKS on my Debian machine. The only thing I really can't afford to lose is photos and art (backedup to Google Drive and and an external hard drive), and SSH/GPG/etc. keys which are backed up to USBs. I could lose most of my hardware and be ok.
Yup, encrypt every time.

Otherwise, they may be able to snag your SSH RSA keys off of the hard drive, and if you've password protected it, they can try to brute force it.

Also, it helps safeguard against border patrol wanting to access your data while traveling.

Store your keys on a hardware token to reduce the chances of this happening (Nitrokey, Yubikey, OpenPGP smart card, etc.)
the way I read about Yubikey is that it is for websites, accounts, etc. Can you use it to log into your actual OS?
Yes, with a bit of setup and depending on your OS.

My problem with hardware tokens is simply that I lose them.

I keep mine on my car keys. Problem solved.
Then you (inevitably, Murphy's ...) lose your car keys. Now you have two problems. :p
Or stow a backup of your (yubikey) hardware in an encrypted (hopefully, zero-knowledge based) cloud service and restore when lost.
The Yubikey NEO (and the 4, but the 4 is more closed-source than the NEO) is basically a Javacard smartcard with OpenPGP and PIV (x.509) applets with standard interfaces. I have my GPG auth/sign/encrypt subkeys on it (master/certification key stays offline), and with gpg-agent it will present your GPG auth key as SSH credentials.

There are Yubikey-specific PAM modules you can use as a second factor for logging in locally, and there are probably ways to use standard smartcard authentication for login purposes as well but I don't have experience with that. I mainly use it for remote SSH login purposes.

They'd backdoor your machine instead. Same result.
Same result? With something like a Yubikey you can't (excepting any vulnerabilities) extract the private key data even with the admin PIN codes. Based on your PIN caching preferences an attacker may be able to sign/encrypt/decrypt data with your keys (suggest setting force PIN for sign and low TTL for pin caching in gpg-agent) but they won't be able to exfiltrate your private keys.
I'm running Debian, so I have LUKS full-disk encryption running; I consider it a sine qua non of running a personal computer.

I wish it were a bit easier to enable per-user encrypted home directories as well (yes, layered: CPUs are fast, and security is worth the cost), but … I'm lazy.

I don't understand...

If you've got the requisite ecryptfs packages installed, you can just run something like: "adduser --encrypt-home newusername" and there you go. It works on top of any filesystem, because it encrypts on a per-file basis.

Yeah, but (last time I installed) that wasn't an option at install time.
Ubuntu has that as an install-time feature, but then Ubuntu is definitely not Debian.

Then again, Debian isn't really either given the systemd fiasco that is Jessie.

How has that whole debacle impacted you? I still have several squeeze(or whatever oldstable / jessie-1 is) boxes that I'm loathe to upgrade, and considering just biting the bullet and switching to either Ubuntu, which has a more mature systemd seutp, or some other distro entirely (OpenSUSE seems to be the place to be when it comes to bleeding edge secure rolling releases), but the familiarity I have for Debian continues to make that difficult to make the leap.

Can you write more about systemd fiasco in Jessie?

I've very reluctantly upgraded to Jessie with systemd few months ago and, to my surprise, it simply works.

Cursory googling returned entries from 1-2 years ago, so my google fu is not sufficient.

Actually, I don't mind systemd anymore. I hate the philosophy and attitude of the maintainer, but I haven't had any operational problems using systemd. It works, and it works pretty well. I just hate that I had no choice.
So then just don't create your main user account at install time. I'm usually creating an 'admin' user at that point anyway.

The main thing to watch out for is to add new users appropriately to some system groups like sudo, cdrom, audio and such.

> I'm usually creating an 'admin' user at that point anyway.

Why create an admin user when root already exists?

It is handy, if you are setting up the system for someone else.

You can always delete the user account you created at install time too, after you have set up the root account with a password.

For others:

    Sine qua non is an indispensable and essential action, condition, or ingredient. It was originally a Latin legal term for "[a condition] without which it could not be", or "but for..." or "without which [there is] nothing".
If a phrase is so foreign that you feel the need to italicize it, don't use it.
On the other hand, it's quite nice to be on Hacker News where someone will post the definition :) ... now I know what that phrase means when I hear it in another context.
Nah, it's just the standard HN-ian modus operandi of misusing Latin phrases like a priori which doesn't actually mean "prior" or "prior knowledge" despite the incessant use here on this site.

How else would I attempt to appear superior? :^)

Except he used it correctly here, didn't he? He could have said condicio sine qua non but my understanding is that either would be accepted usage.
If f is a function with the domain of thoughts and the codomain of the words used, f is almost never injective.

You can't always know the thoughts based solely on the words. There's almost never a one-to-one mapping. You can't always read minds.

Think about it like this: I understand that it might be perceived by some English speakers as "sophistication" (more on that later), but for a lot of others who speak other languages, there is absolutely no pretense of sophistication in using latin expressions for this is both how we have always talked and what we picked up along the way in life.

Expressions such as "a priori", "grosso modo", "primo/secundo/tertio/quarto", "sine qua non", "ad nauseam", "a fortiori", "a contrario", "status quo", "de facto/de jure", are very common in colloquial French.

Others, for example: "quod erat demonstrandum", "reductio ad absurdum", and some of the aforementioned mostly were picked up inmaths classes/books.

I learned most of this stuff as a child because people just talked like that around me. Do I have to appologize because someone thinks I'm doing it to appear superior? That's similar to some people who think someone is arrogant just because he's good looking. Doesn't this feeling tell them more about themselves than about the hypothetical arrogance/sophistication attempt?

Think of it another way: If I work in the sun and get a tan, why on earth would you assume that my tan is pretentious? Seems silly to connect the two, right? But they were connected in the past: the expression blue blood, after all, that is used to describe nobility came from the fact they were so pale their veins we apparent, contrary to the peasants who had to work in the sun and were tanned..

What used to indicate "low-birth" now has become attractive. We're funny that way.

To get back to what I said, this is not unique to English speaking people. I was raised with two languages home + one street language + one school language. Other children from poor families (one street language + one school language) preceived this as a sophistication attempt because they perceived me as someone coming from means. I wasn't. They associated speaking that language with wealth; I didn't. It didn't even cross my mind.

Then again, it's not even about wealth: they didn't mind someone like them (farmer) having money.. but they loathed people they considered "fancy" (for them, educated meant fancy).

Some people here have this stereotype (the correlation is that they're mostly people from poor neighborhoods) because they don't understand basic logic: "A implies B" doesn't mean "B implies A". They think "People from wealthy fancy families speak French", so they go the other way around and say "People who speak French come from wealthy fancy families".

But then again, it's not about latin phrases, wealth, or french, for some people in France would consider someone speaking in English as attempting to appear superior. And it's not even about France for some people in Egypt think people who speak English try to seem superior. How 'bout that! You wouldn't consider English fancy, would you?. But a lot of people around the world do.

What's the conclusion? The conclusion is that this isn't about the other, it's about us and our thought processes, our insecurities and assumptions.

The conclusion is that if you perceive what someone says to be an attempt to be sophisticated, maybe you can start with an assumption check: can you for a fact read minds? Does your assumption tell you something about yourself more than it does about the other? It does.

I'm not being judgemental, I just find the way we think fascinating. I spend a lot of time trying do destroy my own argum...

I contend that 'sine qua non' was the mot juste in that situation.
I contend that most Leute would find it untragbar for you to pepper your Schrift with Wörtern from any random Fremdsprache. But somehow it's considered acceptable if the Fremdsprache in question is French or Latin.
May I ask a hypothetical?

If you were stopped at a border crossing and asked to unlock your drive for inspection, would you do so?

No. I'd be calling my company's lawyer to obtain their counsel first. Its not up to me to disclose information I dont own to BPS.
If you were stopped at a border crossing and asked to unlock your drive for inspection, would you do so?

It's not necessary to cross a border anymore with anything "interesting" on your laptop.

Just push everything of value to the cloud before crossing. Carry a USB drive with an OS on it. Format your laptop before crossing. Let them have fun "inspecting". Oh, and I'd advise doing something like

   dd if=/dev/zero of=/dev/rdiskX bs=1m
before loading the clean OS. That way there's nothing of value on the drive even if forensic tools are used to look for previous data.

Or maybe just use a Chromebook. They can't force you to unlock access to any cloud accounts, can they? Certainly not as a pre-condition for crossing a border? With a court order, yes, but then you definitely need to get an attorney involved to protect you.

The fly in that ointment is that govts tend to have these deniable 'deals' with these major cloud providers. So make sure whatever you push is encrypted well.
Usually you don't have any right to enter a country, unless you're a citizen.

So they can make unlocking any of your accounts a prerequisite for entering.

FileVault on Macs and OpenBSD's softraid(4) on non-Macs. Almost every OS these days has some support for full-disk encryption. Not using it is irresponsible.
So, the dawn of SSDs has made hibernation and sleep redundant. I use FDE for my SSD (luks, and whatever good defaults ubuntu gives me).

As for the cloud, I store nothing sensitive on there. I used truecrypt, but now I find VeraCrypt easier to use and install. I lost my last installer of truecrypt, and I don't trust the ones floating around.

VeraCrypt hasn't been audited yet. This is a bad thing :)

I have been looking for any sort of software review of VeraCrypt or suggestions by security experts that they use and recommend VeraCrypt. I want something more than unknown people in forums saying they use it.
Well then, use something battle tested like cryptsetup then. It is not as nice though.
I assume he's looking for an open-source option for Microsoft Windows. OSX and Linux is largely "solved". The Microsoft stack is less so after TrueCrypt's downfall.
My Windows machines are not encrypted because the home edition they run does not support BitLocker. Microsoft should reconsider.

Most of my other installations (Mac, Linux, FreeBSD) are encrypted (LVM, ZFS, etc) or will be soon.

To be honest this only really helps against casual attackers (lost/stolen machine) because much of my personal data is in OneDrive which will offer me no protections against governments or determined individuals.

Pro supports bitlocker.
(comment deleted)
Ubuntu 16.04 with full disk encryption. It's trivial to set, you can do it in installation phase.
do you lose all your data if the disk suffers from any kind of data corruption?

or can you somehow still mount, unlock and retrieve the files that weren't affected?

I use the standard hardware encryption of my SSD (a Samsung 830 in my 2012-era Dell XPS 13), which requires I enter the passphrase when I turn my machine on.

Advantages:

  - OS neutral
  - Seemingly as fast as running 'unencrypted' 
    (I assume performance is identical, the only
    difference being the passphrase is stored in
    my head rather than the BIOS)
Disadvantages:

  - Limited to an 8-char (!) ASCII passphrase
  - I've no idea how secure it really is
  - Can't audit the algorithm (not that I have
    the technical ability to)
That sounds like an annoyance, not encryption to me.
Generally as you increase security you will lose usability and vice versa. It's about weighing the advantages against the disadvantages.
It's the 8-char password that I find absurd - that would take about 2 hours to brute force max.
I think hdd will wipe itself after N incorrect attempts.
So you copy the drive first.
Encryption is done in drive hardware, so copying the drive is possible via hardware attacks but would be a pretty involved lab operation. Would definitely take longer and require more sophistication than many in-practice crypto exploits.
Allegedly it's 256-bit AES and would take thousands of years to brute force. (Allegedly, because of course there's no way for me to easily verify!)
a 256-bit AES key might take eternity, but if it's derived directly from 8-char ASCII the search space is tiny. Somewhat does depend on how it's actually implemented in hardware, however.
Or even better, the key is determined randomly, and the 8 char password decrypts the key.
The 8 char password does not decrypt the key; it unlocks/retrieves it. The drive will only allow a fixed number of attempts. Once past the 10 or whatever allowed attempts, an attacker needs to brute force the full encryption key. It should be a very similar scheme to what you get with a modern smartphone, such as a new iPhone. (Not one of the older iphones the FBI cracked recently, a new one with a Secure Enclave.)
What stops the attacker from just imaging the drive in its encrypted state and continuing to run attacks on the 8 char password well in excess of 10 attempts?
The drive controller does not allow you to read the encrypted form of the data out. This kind of drive-encryption is the same as the common ATA lock command (implemented in your BIOS and the drive controller), but the drive controller actually encrypts the data as well as just refusing to work without being unlocked first.
This relates to my "does depend on how it's actually implemented in hardware, however." comment.

This can be implemented in secure hardware (and without getting into attacks against that), you can make a password attempt, but can't modify the counter which tracks how many incorrect attempts have been made. Sufficient incorrect attempts will see the key material destroyed.

On Thinkpads at least it can be much longer.
It reminds me of how I set a boot password in the BIOS on my HP laptop. I now have forgot the admin password in order to remove that "feature". I have no idea how I can fix it. The laptop is bricked. I can't install Linux on it because it is set not to boot from USB or CD/ROM
> I have no idea how I can fix it.

Just disconnect the CMOS batteries; you can find tutorials online. Or you can take it to a computer shop, it should be a simple fix.

Where are those located?
The grey coin-sized CMOS battery is alongside the motherboard.

I suggest you look at the many guides and videos, just search "removing BIOS password".

That will work for sure? I'd have to really start taking things apart.
Almost certainly yes. I have taken apart many laptops, it's usually not more than 5 minutes reading a guide/video and another 5-10 minutes of work.
Check HP for the service manual for your laptop. This is generally a standard goal the manual will give steps for. Usually all you need is a screwdriver of the right size and a bit of guts to pull apart bits of plastic, though I find my confidence that I'm not destroying anything is greatly enhanced when I'm following the manual and have reasonable confidence all the screws are out properly.
Not for sure. That trick is kinda old.

I had a Pentium III based HP laptop that stored the password on a chip that didn't require a battery to evade such a trick. The only fix was using the backdoor password that could be generated by using the serial number of the laptop (HP required proof of ownership, but I had dumpster dived this from their offices). The backdoor password was retrieved by wiring 50 USD to a fellow in the czech republic who had the keygen tool HP support would use.

What's the model number of the laptop?
Not exactly sure because I don't have the laptop on me. Do you have model specific advice I should know about?
I had the same issue with a second hand HP laptop. However, I could still log in as administrator on the Windows install, enabling me to dump the flash memory used to store the BIOS firmware and configuration, which included the password hash. Some reverse engineering later, and I was able to brute force the hash successfully. So that could be an option if the password is not stored in battery-backed memory, and you have a bit of time on your hands to get stuck into the BIOS internals.
You're correct, it's not going to stop someone who knows exactly what they're doing and has the time/patience/tools to brute force. But it is enough to stop casual thieves from stealing more than just hardware, which is (fortunately) my main concern.
It does actually encrypt your data, and if it's correctly implemented, it's fine. Those drives sell for a few years now and not a single exploit is known.

For most people this is more than enough.

For Mac, FileVault2. For Debian, LUKS full-disk.

It's tangential, but while on the topic of securing lost laptops, you should also password-protect GRUB and BIOS. Ideally, all three will use different passwords that are relatively long. Properly securing these elements in addition to having full-disk encryption will make your lost laptop useless to the would-be thieves.

Partitions for swap and rootfs, both encrypted with LUKS. I carry boot disk on a USB stick. Decryption key is on bootdisk, too, to avoid typing in the passphrase every time.
I use Arch Linux with LUKS for full disk encryption.
LUKS, combined with suspend to disk. Both on my laptops and the on-prem homeserver that holds all my personal data.
- Bitlocker on my Windows 10 Pro laptop (because I'm more concerned about an everyday thief prying open my laptop than a government agent)

- ChromeOS built-in encryption/LUKS FDE on the Fedora partition on my Chromebook

I should probably encrypt my Android phone and tablet, but I had a bad experience with performance overhead when I encrypted my last phone.

I dont think it is even possible to hide it from government
Depending on which version of Android you're running, you may be pleasantly surprised. Manually encrypted an HTC One m9 (Lollipop) and found no noticeable performance decrement, and now with it enabled by default in Marshmallow it's unnoticeable.
The main annoyance with full-disk encryption on Android is that it disables several handy features of the lock screen, such as being able to take a photo directly from the lock screen.
I just checked that on three devices and I am certain that this is a problem unconnected to encyption. Not sure how, but you might be able to solve this somehow.
I have the same setup: bitlocker for Windows 10 and LUKS for Fedora. I have also enabled secure boot and it works fine with both OS'.
I don't have any files on my personal laptop.

I have a USB key or two on my key-ring, and in theory I have an external hard-drive although currently I don't use it.

I keep code on a VM and GitHub.

In general I don't really have anything I can't lose or have made public. Instead of looking at my laptop as a thing I have to protect I look at it as a thing that will inevitably be lost, damaged or replaced.

What about session tokens to cloud services you likely use?
My primary accounts are not left logged in. I don't let my browser auto-fill passwords. Github for example has two-factor enabled. I somewhat regularly clean my browser data.

If a nation-state wants to "get me", they will. In fact most of us would probably not be able to withstand a targeted attack by a skilled or simply motivated attacker.

I don't expect my hard-drive being encrypted would save me in court. I probably wouldn't ultimately withstand a prolonged beating in defense of it either.

It all comes down to whether your juice is worth the squeeze. I have very little juice (on display), and I don't give anyone much reason to suspect there's more juice out there.

There are a lot of low-hanging fruit forensic techniques that would allow for recovery of data that was once on the device and you now think to be gone, like session tokens and cookies. One of the major reasons to use full-drive encryption is so that these forensic artifacts will be encrypted in addition to the files you still actually keep around. This is also why you should enable full-disk encryption at the very beginning, OR wait while the entire drive is rewritten when you enable it.
I run Bitlocker on my Windows 10 machine it causes some issues with multibooting.

Does anyone have a good multiboot disk encryption setup?

On Linux I sometime use LUKS disk encryption. For adhoc disk container file disk encryption I use Veracrypt which is the successor of Truecrypt.

DiskCryptor https://diskcryptor.net/wiki/Main_Page

Full compatibility with third party boot loaders (LILO, GRUB, etc.). Encryption of system and bootable partitions with pre-boot authentication. Option to place boot loader on external media and to authenticate using the key media. Support for key files. Full support for external storage devices. Option to create encrypted CD and DVD disks. Full support for encryption of external USB storage devices. Automatic mounting of disk partitions and external storage devices. Support for hotkeys and optional command-line interface (CLI). DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file systems.

I only encrypt the /home dir with dm-crypt running ArchLinux. I did use TrueCrypt on my previous laptop but at a certain point it was broken and it seems development ended in 2014.
on OS X I use FileVault2. I also have data on encrypted, password protected disk images. A firmware password on the machine too.

Another thought, what other things could someone do?

check for the existence of a USB stick or SD card plugged into the machine inorder to actually mount home? Log user into a chroot env and mount nothing unless a usb stick exists?

Debian with full disk encryption as suggested by installer.

Works.

I also set up FileVault on my Mac, which I don't particularly like because it uses my login password to encrypt the hard drive.

I run Mint on my ThinkPad, and encrypted the hard drive at install-time (which is LUKS in the background). This means I have a separate password for the OS and my user data. The boot password is very long (it's a saying that is memorable to me) so is pretty difficult to brute-force, while my user password is complex enough for regular use. I also have my user data encrypted. LUKS can leverage the AES instructions on current-gen CPUs to speed up encrypted operations to near-native speeds, but even without it, you'll only notice a slow-down if you're doing heavy IO. My MBP is an old Core 2 Duo and is not unsable with FDE enabled.

I also used my Yubikey as a second factor for a time - you can hook this into the LUKS decryption screen to hash the passphrase a second time to generate the decryption key. While I was at it, I had my Yubikey set up to be required to log in or unlock the screen. So while there was a backup passphrase to unlock the hard drive, I couldn't get into my own user account without the Yubikey. I eventually disabled this because I thought it was overkill, but it works pretty well.

However, don't forget that encryption ONLY protects data at rest! A laptop in sleep mode is NOT secure, even with FDE. I always shut down the machine completely when I'm in a situation I could lose it (e.g. airport security). Otherwise, the keys are kept in memory, and a determined hacker has ways of getting to them - look up DMA attacks. Downloading the contents of RAM through a firewire port is pretty trivial these days.

A final thing to note - none of these methods stop a thief installing their own OS on your machine. Whilst this means your data is secure, you can make things a little bit harder for the thief by adding a boot or BIOS password to prevent them booting from a different medium. There are ways to reset this, admittedly, but since it won't get in your way (much), add another stumbling block for your enemy.

> A final thing to note - none of these methods stop a thief installing their own OS on your machine. Whilst this means your data is secure, you can make things a little bit harder for the thief by adding a boot or BIOS password to prevent them booting from a different medium. There are ways to reset this, admittedly, but since it won't get in your way (much), add another stumbling block for your enemy.

If you use UEFI with secure boot (and your own keys with the windows ones removed, and an administrative password set up in your firmware) then you're in theory protected against that attack as well. What's more, openSUSE Just Works™ with UEFI. I wanted to flash LibreBoot (a CoreBoot distribution that is free as in freedom) but I'm worried about bricking my laptop (as well as not being sure about how good Linux's support is for that).

I use the Mac Disk Utility to create an encrypted volume. I use that volume to store sensitive files. Its just one file so its fairly easy to back up in its encrypted form.

The main hassle is I have to open the drive and enter the password before using. But its used infrequently.

This is my method as well. +1
This is my method as well. +1