‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, March 22, 2021 8:50 PM, Johnny Dahlberg <svartchimpans@xxxxxxxxx> wrote:
As for whether to use UEFI boot or not: Yes. Use it. It's way more robust than MBR boot methods. Don't be afraid to research what systemd-boot is, if you want to know. Or just enable UEFI in your BIOS (it's most likely on by default on your new laptop) and just install the OS and it'll automatically use UEFI.As for what to encrypt:/boot/efi = No. It must be unencrypted to be able to boot. But it only contains your bootloader, kernel and initramfs which is what sets up the decryption environment./ (root) = Yes. All of it will be encrypted with your passphrase.As for having a separate /home partition: Don't bother. It makes no sense at all and just creates hassle when you inevitably run out of space in either / or /home. There are no benefits to a separate home directory. None. People think it makes OS reinstalls or distro hopping easier. Nope it doesn't. If you have a unified partition, you simply have to boot any random liveCD and delete everything except the /home folder, and then install your OS on the same partition without formatting it, and voila you've kept /home without tediously separating it.If you wanna check out the distro I recommended in the longer answer about full disk encryption, you even have a "Refresh Install" feature in the installer, which deletes everything except /home and reinstalls the OS. That's another fantastically easy option. :-)-- Johnny
1. Kernel and initramfs can be located in encrypted partition if bootloader can decrypt them.
2. Having separate /home partition has several benefits: if root fs is damaged, the home partition is left intact. Also, depending on fs type, its configuration and partition size io operations can be faster on smaller partitons than on a big one.
3. There are such tools like lvm or fs subvolumes which make the choice between single or separate partition redudant. For example, lvm alows to share single partition space for several virtual partitions (they are fs independent - if one fs is damaged, other are still ok). Some fs allow to have subvolumes which also share space (but they are fs dependent, so if fs is damaged all its subvolumes are also damaged).
Regarding initial question: operating system partition, swap partition, home partition and all other 'user data' partitions 'are appropriate' to encrypt. Boot partition (to be more precise bootloader) can also be encrypt, but the benefits are extremely theoretical. Initrd and kernel images 'are appropriate' to encrypt if they are part of encryption process (in this case they must encrypt, because, for example embeding keyfile in initrd image located at unencrypted partition is like leaving key at the door).
Best regards,
Maxim Fomin
_______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx