On Sat, Jun 6, 2020 at 3:49 AM Dale <rdalek1...@gmail.com> wrote: > > Thanks for both replies. I found one other Gentoo one but it was encrypting > the whole thing, /boot and all, plus they used efi. I didn't find the one > you linked too.
The Gentoo guide that was linked uses an example of encrypting a partition. This is just block device layering though. You can probably stack them anyway you want as long as the various services/etc are set up to load in the right order. You could encrypt the disk and stick LVM on it. Or you could stick LVM on the disk and use LUKS on the logical volumes inside. Usually you want the encryption as close to the disk as possible because if somebody gets your disk it gives them less to work with. They don't know that you have a logical volume called "home" on it, and so on. Some more recent filesystems have encryption built into them, like zfs/etc (well, the most recent version). There can be benefits to doing it this way as the filesystem might be better able to cope with data corruption if there is some problem later. However, you can always stick dm-crypt/LUKS/etc on a physical disk and then just treat the resulting block device as if it were your disk. dm-crypt itself has very little overhead. As you pointed out, the main thing you do have to be careful about is /boot. As long as you're using an appropriate initramfs you can do just about anything else after that, but your firmware isn't going to go prompting for your LUKS password/etc. I should mention it for completeness, but I don't recommend this: you can also use ATA security with a password that unlocks the hard drive. In theory the drive should be encrypting its data when security is in use, and it makes the drive inaccessible without the password. The problem is that this is generally not audited by anybody and you have no way of knowing what the drive is doing or whether it is a secure implementation. But, I mention it for completeness, because it can be done on Linux. -- Rich
