On Tue, 23 Mar 2021 at 00:59, Didier = Spaier <didier@slint.fr> wrote= :

Le 22/03/2021 = =C3=A0 17:43, Johnny Dahlberg a =C3=A9crit=C2=A0:
> On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar.com
> <mailto:ge= bser@mousecar.com>> wrote:
>
>=C2=A0 =C2=A0 =C2=A0A new laptop is on the way and I'm considering = using dm-crypt 2
>=C2=A0 =C2=A0 =C2=A0secure the whole SSD. I have some basic questions t= hough.
>
>=C2=A0 =C2=A0 =C2=A0Is it possible to encrypt the entire Drive, includi= ng all the system
>=C2=A0 =C2=A0 =C2=A0files?

> Yes, you can do this extremely easily in distributions that support it= .
> What does "it" mean? Well, simply: Placing the kernel and bo= otloader on
> an EFI /boot/efi partition and using that as a bootstrap to decrypt th= e
> main partition. And auto-updating it every time the main system kernel=
> is updated.
> I highly recommend my favorite Linux distro, which handles all of that=
> automatically and asks if you want Full Disk Encryption during install= :
> https://pop.system76.com/

Well Slint can do that as well in 'Auto' mode, with a simpler layou= t:

Ah. The layout you describe is basically t= he same thing as Pop!_OS full disk encryption. But Pop requires LVM on top = of LUKS. I wish it didn't require LVM. But at least it's nice since= LVM lets you "repartition" inside the encrypted disk easily by j= ust adding more LVM volumes.

I think all distros that support FDE do= basically the layout you described. Because EFI/BIOS don't support enc= rypted bootloaders. So the boot partition must always be unencrypted. And t= hen the bootloader needs something to decrypt the disk, and the easiest way= to do that is initrd/initramfs with a whole kernel on the unencrypted boot= partition. Which decrypts the disk and passes control over to the main sys= tem kernel (via chroot and stuff like that). This process is universal.
=
You mention using grub and BIOS boot though. I've heard that it'= ;s painfully slow to boot LUKS systems via grub? I haven't tried grub i= n years, but I use UEFI systemd-boot and it's instant (the decryption u= nlock screen shows up in ~3 seconds, and the desktop is booted in another ~= 5 seconds). It's really fast.

=C2=A0

As an aside, instead of a swap partition a small swap file is set up,
as well as a swap space in zram with a higher priority.

That's nice. I don't use swap at all (I h= ave 64GB RAM) but I've been reading about zram which does in-ram compre= ssion, that's a nice thing. Thank you for reminding me to do that.
= =C2=A0

Out of curiosity I installed pop-os in a Qemu VM. I think it would be
fair to mention on the website that it's based on Ubuntu. I don't like GNOME, but that's just a personal taste ;)

True. They have a few small mentions about Ubuntu= on the website though, but they definitely don't brag about it. It'= ;s a good thing though since it means the users can search the vast amounts= of Ubuntu information online to find answers.

As = for GNOME, you can replace the desktop environment with one command. You ju= st run the command for the environment you want, and it will appear on your= login screen with a little down-arrow to log in using that particular envi= ronment, and you can have multiple at the same time. Here's a list of e= nvironments and how to install each:

https://support.system76.com/articl= es/desktop-environment/

That Slint distro is news to me. = It gives the impression that it's very niche (it has existed for over a= decade but was added to Distrowatch last year :O). Can be nice to find coz= y, unique distros like that, but it's hard to find documentation for pr= oblems or proper maintenance by the developers on such small distros.
My choices for systems that "just work" would be Manjaro (Arch)= and Pop (Ubuntu/Debian). Both are really, really polished.
=C2=A0

Slint's website: https://slint.fr
Main server: http://slackware.uk/slint/x86_64/slint-14= .2.1/

Best Regards,

Johnny=C2= =A0