On Mon, 22 Mar 2021 at 21:37, ken <= ;gebser@mousecar.com> wrote:<= br>

On March 22, 202= 1 3:57:13 AM UTC, Arno Wagner <arno@wagner.name> wrote:
>To do that you need to boot from an external medium.
>FAQ Section 9 has some informatiopn on how to create an
>initrd for an external boot medium.
>
>Regards,
>Arno
>
>
>On Sun, Mar 21, 2021 at 17:13:16 CET, ken wrote:
>> A new laptop is on the way and I'm considering using dm-crypt = 2
>secure the whole SSD. I have some basic questions though.
>>
>> Is it possible to encrypt the entire Drive, including all the syst= em
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@saout.de
>> To unsubscribe send an email to dm-crypt-leave@saout.de

Thanks for your reply and or the reference to the FAQ. I should have known = that the latter probably existed.

While it probably is a very useful kind of configuration for some for a sys= tem to have to boot from an external medium, it doesn't sound like some= thing that I want to do. I guess I've been misled by my previous experi= ence with dm-crypt.

It must have been about 20 years ago that I set up and for a couple years u= sed an encrypted system. That system would boot as systems normally do, and= I was prompted for a password somewhere along the boot process prior to ha= ving to enter my user password. I didn't need an external medium at all= . And very recently I very briefly tried out Fedora 33 and clicked a checkb= ox for disk encryption during the install process, and the boot process was= essentially the same, that is, the system would boot, then it would requir= e password for disk decryption before I could log in. Again, no external me= dium was required. Your answer, though, was the right one, given my impreci= se question.

This brings up larger, but pre-technical questions: what is appropriate to = encrypt and why? Given your reply, it seems safe to assume that it's po= ssible to encrypt the boot partition of a system. It's quite possible t= hat I'm missing some reason to do this, but I can't see it. However= , I'm not at all conversant with the newer UEFI boot processes, so perh= aps there's something to learn there.

Reasons for encrypting the OS are more apparent, so I'm fairly certain = that would be advisable. I can imagine a sound rationale for encrypting jus= t one part a person's home directory, but for me the entire /home parti= tion is the absolute minimum.

KVM throws another layer of possible confusion into the mix. At the moment = I'm considering encrypting the entire (host) OS and /home partition, an= d with those all the guest systems, because this seems like the simplest wa= y to go. However, I could be convinced against that plan if I find that per= formance would be too adversely affected, or for some other possible issues= I'm not even aware of. Or maybe it wouldn't be simple at all to do= what I'm planning. I don't know at this point.

One specific question I have comes out of the FAQ: What is meant by a conta= iner? I'm fairly certain that it could be an entire partition. Anything= else? Could one container be comprised of two or more partitions? Can two = or more virtual machines constitute one container if they are all on the sa= me partition or within the same logical volume?

Sorry for the long post. If you're looking for more fodder for the FAQ,= I obviously have plenty of that.=C2=A0 :)

Did you see my detailed reply to your previou= s post? It explains the exact boot process you want (being asked for a pass= word at boot).

As for whether to use UEFI boot or not: Yes. Use it. = It's way more robust than MBR boot methods. Don't be afraid to rese= arch what systemd-boot is, if you want to know. Or just enable UEFI in your= BIOS (it's most likely on by default on your new laptop) and just inst= all the OS and it'll automatically use UEFI.

As for what to encr= ypt:

/boot/efi =3D No. It must be unencrypted to be able to boot. Bu= t it only contains your bootloader, kernel and initramfs which is what sets= up the decryption environment.

/ (root) =3D Yes. All of it will be = encrypted with your passphrase.

As for having a separate /home parti= tion: Don't bother. It makes no sense at all and just creates hassle wh= en you inevitably run out of space in either / or /home. There are no benef= its to a separate home directory. None. People think it makes OS reinstalls= or distro hopping easier. Nope it doesn't. If you have a unified parti= tion, you simply have to boot any random liveCD and delete everything excep= t the /home folder, and then install your OS on the same partition without = formatting it, and voila you've kept /home without tediously separating= it.

If you wanna check out the distro I recommended in the longer a= nswer about full disk encryption, you even have a "Refresh Install&quo= t; feature in the installer, which deletes everything except /home and rein= stalls the OS. That's another fantastically easy option. :-)

-- Johnny