In a very brief outline:

The most important thing to understand is what your threat model is. Do you want it encrypted because you don't want someone to have access if it's lost/stolen or are your adversaries nation state actors? An encrypted hard drive is useful for preventing physical access, but once you've booted into an OS the attack surface has increased enormously.

1) Jxself's recommendation will be the easiest way to do an encrypted install, especially if you've never manually altered partitions before.

2) An unencrypted /boot partition will reveal some basic info such as what OS is installed. Not necessarily important unless this information needs to be kept protected for whatever reason as well. You have a libreboot system, so the link root_vegetable provided will assist if you want /boot encrypted.

3) I agree with Root and Banana, you should be fine with a separate /home. Separate /home, /var, /usr is probably overkill for your situation.

4) As mentioned, don't put a swap partition on an ssd (you can of course but it will burn through the ssd much faster). In relation to encryption on an ssd, there is another point to consider in passing through the TRIM command. The TRIM command enables your ssd to have wear-leveling which increases the total lifespan of the ssd. However, passing the TRIM command through the encrypted layer will enable someone to perform analysis to see which sectors on an ssd are and aren't used. Unless analysis is a possible threat, I would choose to pass TRIM through.

5) The link Legimet provided to the Arch-wiki is great for understanding encryption in general.

Best of luck!

Reply via email to