On March 22, 2021 3:57:13 AM UTC, Arno Wagner <arno@xxxxxxxxxxx> wrote: >To do that you need to boot from an external medium. >FAQ Section 9 has some informatiopn on how to create an >initrd for an external boot medium. > >Regards, >Arno > > >On Sun, Mar 21, 2021 at 17:13:16 CET, ken wrote: >> A new laptop is on the way and I'm considering using dm-crypt 2 >secure the whole SSD. I have some basic questions though. >> >> Is it possible to encrypt the entire Drive, including all the system >files? >> _______________________________________________ >> dm-crypt mailing list -- dm-crypt@xxxxxxxx >> To unsubscribe send an email to dm-crypt-leave@xxxxxxxx Thanks for your reply and or the reference to the FAQ. I should have known that the latter probably existed. While it probably is a very useful kind of configuration for some for a system to have to boot from an external medium, it doesn't sound like something that I want to do. I guess I've been misled by my previous experience with dm-crypt. It must have been about 20 years ago that I set up and for a couple years used an encrypted system. That system would boot as systems normally do, and I was prompted for a password somewhere along the boot process prior to having to enter my user password. I didn't need an external medium at all. And very recently I very briefly tried out Fedora 33 and clicked a checkbox for disk encryption during the install process, and the boot process was essentially the same, that is, the system would boot, then it would require password for disk decryption before I could log in. Again, no external medium was required. Your answer, though, was the right one, given my imprecise question. This brings up larger, but pre-technical questions: what is appropriate to encrypt and why? Given your reply, it seems safe to assume that it's possible to encrypt the boot partition of a system. It's quite possible that I'm missing some reason to do this, but I can't see it. However, I'm not at all conversant with the newer UEFI boot processes, so perhaps there's something to learn there. Reasons for encrypting the OS are more apparent, so I'm fairly certain that would be advisable. I can imagine a sound rationale for encrypting just one part a person's home directory, but for me the entire /home partition is the absolute minimum. KVM throws another layer of possible confusion into the mix. At the moment I'm considering encrypting the entire (host) OS and /home partition, and with those all the guest systems, because this seems like the simplest way to go. However, I could be convinced against that plan if I find that performance would be too adversely affected, or for some other possible issues I'm not even aware of. Or maybe it wouldn't be simple at all to do what I'm planning. I don't know at this point. One specific question I have comes out of the FAQ: What is meant by a container? I'm fairly certain that it could be an entire partition. Anything else? Could one container be comprised of two or more partitions? Can two or more virtual machines constitute one container if they are all on the same partition or within the same logical volume? Sorry for the long post. If you're looking for more fodder for the FAQ, I obviously have plenty of that. :) _______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx