Clevis pretty much does TPM encryption and is in most distros' repos. I use it on my Thinkpad. It would be nice if it had a GUI to set it up; more distros should have this as a default option.
You do have to have an unencrypted boot partition, but the issues with this can at least in be mitigated with PCR registers, which I need to set up.
It’s a smidge more difficult on Debian if you want to use a non-ext4 filesystem - granted for most people, ext4’s probably still fine. I use it on my desktop, which doesn’t have encryption.
Yes, fellow OpenTTD player.
I’m using LVM. The BIOS solution would be a bad idea because it would be more difficult to access the drive on other systems if you had to; LVM allows you to enter your password on other systems to decrypt.
Do your servers have TPM? Clevis might be the way to go; I use it on my Thinkpad and it makes my life easy. If the servers don’t have TPM, Clevis also supports this weird thing called Tang, which from what I can tell basically assures that the servers can only be automatically decrypted on your local network. If Clevis fails, you can have it fall back to letting you enter the LVM password.
Well, it was worth a shot.
I don't do it for my desktop because 1) I highly doubt my desktop would get stolen. 2) I installed Linux before I was aware of encryption, and don't have any desire to do a reinstall on my desktop at this time.
For my laptop, yes, I do (with exception of the boot partition), since it would be trivial to steal and this is a more recent install. I use clevis to auto-unlock the drive by getting keys from the TPM. I need to better protect myself against evil maids, though - luckily according to the Arch Wiki Clevis supports PCR registers.
I wouldn’t necessarily say that - Debian and FreeBSD releases have roughly the same support lifespan, meaning if installed on release day, you’d get a few (~5 years) years of support without major upgrades.
I’d say both systems have a high chance of success at upgrading to the immediate next version, so that becomes maybe 7 or 8 years when adding the years of support left on the now older immediate next version.
For a second immediate next upgrade, you might be right that a BSD has a better chance of surviving.
I wouldn’t know about Open SD, though, as they operate on point releases and I don’t know to what extent they prevent breaking changes.
I think you might win.
I feel like I had a problem very much like this with Debian Testing on my Surface Go 1 (and I think my desktop too) a couple years back, and it turned out there was issues with /etc/nsswitch.conf. I can't remember exactly what I did, but this is the current contents of that file:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=RETURN] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Compare yours - maybe even post it so I can try to reproduce the issue on my machine. Anyhow, hope it helps, and good luck.
It depends. Sometimes I shut it down every night. Occasionally, I'll leave it in sleep mode for a few days.
I think the longest uptime I've had on anything I've owned is probably a month or so on a Raspberry Pi 4 server I used to have running with a personal Mediawiki instance (I still have the Pi, but if I ran a server in my dorm, I have the feeling someone might come to bite off my hand).
Half of these exist because I was bored once.
The Windows 10 and MacOS ones are GPU passthrough enabled and what I occasionally use if I have to use a Windows or Mac application. Windows 7 is also GPU enabled, but is more a nostalgia thing than anything.
I think my PopOS VM was originally installed for fun, but I used it along with my Arch Linux, Debian 12 and Testing (I run Testing on host, but I wanted a fresh environment and was too lazy to spin up a Docker or chroot), Ubuntu 23.10 and Fedora to test various software builds and bugs, as I don't like touching normal Ubuntu unless I must.
The Windows Server 2022 one is one I recently spun up to mess with Windows Docker Containers (I have to port an app to Windows, and was looking at that for CI). That all become moot when I found out Github's CI doesn't support Windows Docker containers despite supporting Windows runners (The organization I'm doing it for uses Github, so I have to use it).
Another update: https://startrek.website/post/13283869 I found a fix for my issue. I'm annoyed that I had it in the first place, but I overall still like my laptop.
Important update in this post: https://startrek.website/post/14075369 I still consider this a good laptop, but this is an important fix if you're using this on Debian 12. When 13 comes out next year, the out-of-box support of this laptop should be basically perfect.
Anyhow, back to the original post: I recently got a brand new laptop, a Thinkpad 21JT001PUS, to consolidate/replace my array of various on-the-go-Linux devices, and I have to say, I'm impressed. I know Thinkpad and Linux aren't news, but for such a recent device, I am surprised how well it works. The price wasn't bad (which makes up for the fact that it's a Zen 3 chip with DDR4, in my opinion), it has good upgradability (I'll touch a bit on my experience later), and hardware support was really good.
I initially tested hardware support with Debian Testing Trixie XFCE (as that was the Live USB I happened to have on hand, since I often test devices and also keep it around as a backup for my desktop, which runs Testing). At first I couldn't get it to boot, but then I found the BIOS setting to enable non-Microsoft certificates. After that, I booted in and found everything worked out of the box (except the fingerprint sensor, of course, but that's extremely rare for any laptop anyway). However, after experience with my previous portable devices, I learned I prefer stable distributions on those, as during some parts of the year, I can go months without opening the laptop.
Thus, I retested with Bookworm. Almost everything worked still, except for the Wi-Fi (which seems to have been introduced in later kernel versions). Luckily, this thing has an ethernet port (From which it is HECK to remove cables - I've found I had to twist the end up a bit to get it out), so I was able to do an install and then add the Backports kernel to get Wi-Fi working.
One minor issue I had (a software fault rather than a hardware/kernel one) was Bluetooth headphones, but as it turned out, it was just that PulseAudio was installed instead of Pipewire, so after switching, it worked flawlessly with Blueman).
As for battery life, so far it seems okay (as I write this, it says 3:29 left at 51%), but I haven't rigorously tested it yet (though I threw on the usual tlp and stuff like that for good measure).
For performance, I once again haven't tested it too rigorously, but I did play some Civ VI, which it was keeping up with just fine.
The upgrabability of this laptop does have one caveat, though. The bottom is a bother to remove, and most Youtube crap conveniently glosses over them. For one, some of the screws would get loose but not come out all the way. I eventually found the trick was to throw some pry tool under the screw head to hold it up so I could get it the rest of the way out. After they were all out, the bottom cover STILL wouldn't budge. This too ended up being a matter of jamming a pick in one corner of the case and running another one to slowly pry up the bottom case on all sides. I lost a plastic tab or two in the process, but that doesn't show up on the outside, and I think 24 GB of RAM (and 2 TB of NVME 2280 storage + 256 GB, the Windows drive that I left in the 2242 bay) will be plenty for a long time.
Overall, I would say this is a great laptop for those who don't want to go the route of purchasing a used laptop for Linux. I'll say an 8.5 out of 10 due to the hard-to-remove bottom cover and weird ethernet port (Update: 8 out of 10 now due to the nasty Wi-Fi bug I had to fix with a few module options, see posts linked in top of page).
Here's the Linux Hardware probe: https://linux-hardware.org/?probe=1e50fb1862
You're somewhat right in the sense that the point of disk encryption is not to protect from remote attackers. However, physical access is a bigger problem in some cases (mostly laptops). I don't do it on my desktop because I neither want to reinstall nor do I think someone who randomly breaks in is going to put in the effort to lug it away to their vehicle.