How safe are my data if my hard drive isn't encrypted?

Permanently Deleted
Except when your drive is encrypted you can easily destroy its contents. Let's say you're DorkPirate1337 who happens to care about their opsec; you luksEncrypt your drive and have a simple script that runs when a specific USB key is disconnected, triggers luksErase, and then poweroffs. Voila, when the school principal snatches your unlocked laptop while you're in the lib, all your pirated hentai becomes permanently unaccessible whether you give up the password or not. [Edit: the USB key is strapped to your wrist]

Note: luks uses 2 encryption keys, where one is randomly generated and encrypts the actual data, and the second one is given by the user and encrypts the first one; luksErase destroys the luks header containing that first key
Not that other means of accessing the passwords aren't worth considering, but in the real world, it takes a lot more for someone to actually coerce your password from you than to use unencrypted storage.

I generally like xkcd, but this is a harmful trivialization of the value of encryption. In the real world, anything that isn't encrypted is negligent as hell. There's no valid reason not to do it, with maybe the exception of a thumb drive you're sharing across a computers you don't control and are clearly aware is not secure.

Safe in what context ?

If the drive is mounted and data accessible, in case your computer is compromised by some kind of malware, well, the data will be easy to exfiltrate. Now, if the computer is turned off or the drive unmounted, that's what encryption comes in to protect it.

So, basically, encryption will protect the data in case of physical theft of the drive or in case of remote hacking if the drive is un-mounted.

Safe in the context of someone stealing the hard drive and look through private photos and stuff by plugging the drive into another device.
- In that case, without encryption, your safety is zero. That's the exact scenario that full-drive encryption was designed for.
How do people remotely hack a unmounted drive? I think most hard drive dont have power when unmounted?

If the device get stolen, your drive and its files can be easily read.

Other attacks like malware or ransomware are almost the same if the drive is encrypted or not.

Disk encryption is important for laptops and phones because these devices are frequently stolen. For desktop or servers is still good idea, though.

Thanks a lot for your answer. How would you encrypt a server? Typing a password every time it boots isn't possible for me, since I would need a monitor for my headless server.
- That's why it's not always an option.
  
  Some servers have some kind remote console hardware, with their own security issues.
  
  Your "threat model" is important too. Do you expect that server to get stolen? If it happens, is there critical data that should not leak?
  
  Maybe you need to encrypt a directory, and not the whole drive.
- You can use SSH for unlocking: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
- Either self-encrypting drives (if you trust the OEM encryption) or auto-unlock with keys in the TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
- I use Luks/Tang to unlock the server at boot from another computer that is always on too. If that one is down I’ll need to type it or power the other PC on, but otherwise it auto decrypts for me as long as I’m on the same network.
- One option may be a hardware security key. Here is an example: https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/
- If Windows, use BitLocker.
  
  If Linux, use LUKS but you need to enter the passphrase at boot, you can securely put the key in TPM2 I think (à la Windows) but it may be complicated to setup, or just seal the phrase in TPM2 but if you boot on grub you can break grub and replace init with a shell in boot option and have access to the system I think :-/ but a simple crackhead thief would not understand that.
  
  You can also have the key on a USB key, but if on the server and the server get stolen, it's useless. You can setup a "anywhereUSB" and have your USB key in another room/place, etc, there is others possibilities.
  
  I wanted to unlock with bluetooth but having the bluetooth HW driver and stack in initramfs was nightmarish a little bit :-/

You are relying 100% on physical security. If nobody can take your drive or physically operate your computer, it is safe.

If I could boot a USB stick on your machine, or pull the drive, accessing your data would be trivial.

Somebody can take your disk, easily mount filesystem, and read everything.

If the risk of physical data theft is high, your data is at risk. If the risk of physical access to you machine is rather low, encryption might actually increases the risk of losing your data simply by the chance of losing the means to access your data (forgotten passphrase, lost hardware key...).

It might also be harder to recover picies if the hard drive fail partially. However, many use SSD now, might be a different story there.

I think you mean my data.

our data
- Permanently Deleted

An encrypted hard drive means that someone cannot physically steal your hard drive and read its contents.

Encryption-at-rest is generally moot against RCE exploits, because your OS will happily decode files that your programs have permission to read.

That said, on modern systems, encryption is cheap. So set it up if you can.

Edit: I replied to the original post.

Community in the text?

Crosspost. Click on it and you'll land on my original post.

I didn't want to duplicate it. You can always suggest me how to make the crosspost more visible, I just did it how my client set it up for me.

Zero safe. Hard drives die all the time. Unsafe to keep everything on one drive from a data loss perspective. Anyone can just plug it into any other computer and access the data. Unsafe from that perspective as well.