If you encrypt your whole disk, everything will either be encrypted or unencrypted at the same time.* That is, after you enter your LUKS password at boot, your system is no longer protected. Likewise when you shut your machine off, the drive is encrypted and the files cannot be retrieved.
*And before someone objects, it is true that technically, LUKS is encrypting/decrypting on-the-fly while the machine is running, but it's completely transparent to the user since the key is in memory and unlocks/locks everything as needed. I just figured if someone was asking the question OP is that they didn't need to know these details. Unless you are a crypto developer, it's easier to think of it as a binary proposition -- that is, the drive is either encrypted or not. On or off. Technically it's not that simple, but it's good enough of an explanation for the curious end-user, especially considering that there is zero security for the files while the drive is booted. It doesn't matter that most files are technically encrypted until they are accessed -- they can still be easily accessed by anyone behind the keyboard.
Bookmarks