Hello I like the fact that you offer to encrypt my whole disk for the install but I’m concerned that it only allows me to have one partition. Just wondering if there is a way to do it with two /root and /home. As I learned long ago with two partitions you can fix-up your system if you break something without losing all the data from your home partition.
Any assistance would be wonderful.
Yes, and someone please correct me if I’m wrong, but I do believe that if you use LVM to set up your partitions and encrypt that, then only the /boot partition would be outside of the encryption. However, I don’t quite understand why anyone would need anything other than their home partition encrypted, there shouldn’t be any personal information stored anywhere else on the file-system, and even if there was, shouldn’t it be possible to encrypt individual files and/or directories as well? Am I completely off base here or what?
Yeah the LVM approach would work here.
It is of course also possible to not use LVM (but why not?) and create two seperate partitions that are encrypted.
This however needs manual tweaking and configuring as the Ubiquity Installer (the one used by Netrunner Standard and all Ubuntu based live distros) only encrypts with ecryptfs. *
For the matter of encrypting two or more partitions I would rather use luks instead .
* In short: Ecryptfs encrypts the data on a normal linux partition. In contrast to this luks encrypts the filesystem (ext,xfs,btrfs,…) on which the data sits. So even from the outside no one should guess with one look which filesystem it is on which your encrypted stuff sits.
[quote]However, I don’t quite understand why anyone would need anything other than their home partition encrypted, there shouldn’t be any personal information stored anywhere else on the file-system, and even if there was, shouldn’t it be possible to encrypt individual files and/or directories as well? Am I completely off base here or what?
[/quote]
Sadly thats not completely true.
If someone really wants to even better protect its privacy he/she should also encrypt the root partition and make /tmp not to be stored in RAM but use the encrypted partition instead. The same goes for any SWAP partition. Make it encrypted so that even temporary bits and pieces of the user session aren’t easily accessible.
Ok that leaves then the RAM as the weakest point at data there is not encrypted and if someone would freeze the ram modules seconds after turning off the pc it would be possible to read some data out of the RAM.
But I guess protecting that would be then going a little bit overboard with paranoia.