Hey all! So, I recently setup a dual boot of Fedora and Ubuntu and chose to encrypt both of them. Since it was a dual boot, the encryption and partitioning had to be done manually. Now, being a total noob, I didn’t know the first about any of this and chose to simply follow the instructions in this awesome article which goes into creating a luks2 encrypted BTRFS volume with the required subvolumes. It worked wonderfully and I’ve got no complaints about my new setup. But, wanting to learn a bit more about this stuff, I tried to do it my own way by doing the following:
In the installation destination, I chose Advanced Custom (Blivet-GUI)
Created a 650 MB EFI partition which mounts at /boot/efi
Created a 1 GB partition which mounts at /boot
Finally, I created an ext4 partition on the remaining space and set it to mount at /. Here, I clicked the Encrypt checkbox and set a new password.
After that, I let the installer do its thing. When I booted into the new installation, it prompted me for the password and everything went as I’d wanted. So, my question is, what are the disadvantages to encrypting it the way I did? I mean, the instructions in the article were a lot more complex and therefore, one can assume that I’m probably missing something by doing it my way. Is the BTRFS simply so that I can avoid having to enter a password multiple times in case I encrypt multiple partitions? Or are there more reasons as to why doing what I did may not be a good idea?
The instructions in the article are unnecessarily complex, if you don’t want anything “extra”, selecting Automatic on the Installation Destination page and checking the Encrypt my data checkbox is the way to go. But your setup is OK too. With ext4 you are missing some advanced features that btrfs offers like compression or snapshot support (and having separate /home and / is also useful) but there is no difference on the encryption level, it’s the same LUKS “container” for both btrfs volumes and standard partitions.
I’m actually not sure what happens if you have two separately encrypted partitions (like separate /home and / without btrfs or LVM), I think systemd is smart enough to try the same passphrase for both and ask only if the second partition doesn’t unlock (has different passphrase).
So, its pretty much the same except for some extra cool features that come with btrfs. I had another question…I understand that asking an unrelated question is against the rules but since this is where the smart folks are, I figured I’d ask here rather than a generic tech forum. The reason I’m trying to encrypt my stuff is because I’ve got roommates I don’t really trust. So how well would this fare against someone with physical access to my computer? Would adding a power on password do any good? I heard that removing the CMOS battery can bypass that. If posting this question was inappropriate, please let me know and I’ll delete it right away.
Having a strong high entropy password is recommended for a strong encryption.
What ever the strong encryption algorithm you are using if you don’t have a good password it is useless
I don’t know about battery thing. encryption is a mathematical algorithm how a battery or clock reset can effect it
As far as i know drive encryption can’t be effected with this method but bios setting and password can be reset but in some newer motherboard it is not a issue.
The data on the disk is safe, it’s encrypted and if you don’t know the passphrase you are not going to be able to decrypt that. The problem is the physical access to your computer – they can tamper with unencrypted /boot and install some sort of keylogger to the initramfs to get your LUKS passphrase or even get a hardware keylogger or camera pointed at your keyboard and bypass all software protection. So it depends on the level of distrust you have for your roommates – disk encryption will surely protect you from some stupid jokes and random snooping, but if they really want to get to your data, there is always a way with physical access to the machine.
Yeah, my roommates are a shady bunch. Can’t even get my college to change my room without any real evidence though. So encrypting /boot should be good enough right? Also, by doing this, will boot time increase by a lot? And finally, is a BIOS password any good? I mean, you power on the machine and it immediately asks you for a password. This looks like its adding another layer of security but is it really? I don’t see many people using it.