On Tue, 23 Mar 2021 at 00:59, Didier Spaier <didier@xxxxxxxx> wrote:
Le 22/03/2021 à 17:43, Johnny Dahlberg a écrit :
> On Sun, 21 Mar 2021 at 17:20, ken <gebser@xxxxxxxxxxxx
> <mailto:gebser@xxxxxxxxxxxx>> wrote:
>
> A new laptop is on the way and I'm considering using dm-crypt 2
> secure the whole SSD. I have some basic questions though.
>
> Is it possible to encrypt the entire Drive, including all the system
> files?
> Yes, you can do this extremely easily in distributions that support it.
> What does "it" mean? Well, simply: Placing the kernel and bootloader on
> an EFI /boot/efi partition and using that as a bootstrap to decrypt the
> main partition. And auto-updating it every time the main system kernel
> is updated.
> I highly recommend my favorite Linux distro, which handles all of that
> automatically and asks if you want Full Disk Encryption during install:
> https://pop.system76.com/
Well Slint can do that as well in 'Auto' mode, with a simpler layout:
Ah. The layout you describe is basically the same thing as Pop!_OS full disk encryption. But Pop requires LVM on top of LUKS. I wish it didn't require LVM. But at least it's nice since LVM lets you "repartition" inside the encrypted disk easily by just adding more LVM volumes.
I think all distros that support FDE do basically the layout you described. Because EFI/BIOS don't support encrypted bootloaders. So the boot partition must always be unencrypted. And then the bootloader needs something to decrypt the disk, and the easiest way to do that is initrd/initramfs with a whole kernel on the unencrypted boot partition. Which decrypts the disk and passes control over to the main system kernel (via chroot and stuff like that). This process is universal.
You mention using grub and BIOS boot though. I've heard that it's painfully slow to boot LUKS systems via grub? I haven't tried grub in years, but I use UEFI systemd-boot and it's instant (the decryption unlock screen shows up in ~3 seconds, and the desktop is booted in another ~5 seconds). It's really fast.
I think all distros that support FDE do basically the layout you described. Because EFI/BIOS don't support encrypted bootloaders. So the boot partition must always be unencrypted. And then the bootloader needs something to decrypt the disk, and the easiest way to do that is initrd/initramfs with a whole kernel on the unencrypted boot partition. Which decrypts the disk and passes control over to the main system kernel (via chroot and stuff like that). This process is universal.
You mention using grub and BIOS boot though. I've heard that it's painfully slow to boot LUKS systems via grub? I haven't tried grub in years, but I use UEFI systemd-boot and it's instant (the decryption unlock screen shows up in ~3 seconds, and the desktop is booted in another ~5 seconds). It's really fast.
As an aside, instead of a swap partition a small swap file is set up,
as well as a swap space in zram with a higher priority.
That's nice. I don't use swap at all (I have 64GB RAM) but I've been reading about zram which does in-ram compression, that's a nice thing. Thank you for reminding me to do that.
Out of curiosity I installed pop-os in a Qemu VM. I think it would be
fair to mention on the website that it's based on Ubuntu. I don't
like GNOME, but that's just a personal taste ;)
True. They have a few small mentions about Ubuntu on the website though, but they definitely don't brag about it. It's a good thing though since it means the users can search the vast amounts of Ubuntu information online to find answers.
As for GNOME, you can replace the desktop environment with one command. You just run the command for the environment you want, and it will appear on your login screen with a little down-arrow to log in using that particular environment, and you can have multiple at the same time. Here's a list of environments and how to install each:
https://support.system76.com/articles/desktop-environment/
https://support.system76.com/articles/desktop-environment/
That Slint distro is news to me. It gives the impression that it's very niche (it has existed for over a decade but was added to Distrowatch last year :O). Can be nice to find cozy, unique distros like that, but it's hard to find documentation for problems or proper maintenance by the developers on such small distros.
My choices for systems that "just work" would be Manjaro (Arch) and Pop (Ubuntu/Debian). Both are really, really polished.
Slint's website: https://slint.fr
Main server: http://slackware.uk/slint/x86_64/slint-14.2.1/
Best Regards,
Johnny
_______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx
