In a rolling release, individual packages are not just updated, but may also be upgraded to a newer version without that the whole system needs to undergo such an upgrade. In a point release, the whole system is upgraded all at once.
True, and I can see how this would be confusing, but those are updates, not upgrades. Microsoft does at times release upgrades for existing point releases, but those then come in the form of Service Packs, and they could be considered minor version bumps.
I didn’t read the whole thread, but encrypting home afterwards is doable, but a bit complicated. When I did it I wrote some notes for myself:
Encrypting /home on an existing Linux system:
Create a LUKS device:
1.1 Boot with a live USB
1.2 Back up you data, at least $HOME
sudo mount /dev/sdb1 /mnt
sudo cp -a /home/* /mnt
1.3 Create enough free space (for the new $HOME) by shrinking an existing partition with GParted (for example)
1.4 In GParded (e.g.) create a new partition on the free space, but choose in filesystem field “unformated”
1.5 In the terminal get the device name and the UUID of the unformatted partition with lsblk -f (we assume it is /dev/nvme0n1p4 below, but could be simply dev/sda1)
1.6 Create a LUKS device on the patition with the command
sudo cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000 --use-urandom --verify-passphrase --label crypto_LUKS luksFormat /dev/nvme0n1p4
(the values here are chosen with performance in mind, for more security focused values see here: dm-crypt/Device encryption - ArchWiki)
1.6.1 Enter a password which is secure but which you can input at boot time (probably don’t use accénts and similar)
1.7 Open the LUKS device with
sudo cryptsetup open /dev/nvme0n1p4 crypto_LUKS
1.8 Format the LUKS device with a filesystem of your choice - you can do it in GParted or with a command like
sudo mkfs.ext4 /dev/mapper/crypto_LUKS
Integrate the LUKS device into the file system
2.1 Edit /etc/crypttab and add a line like this
crypto_LUKS /dev/nvme0n1p4 none luks,timeout=180
2.2 Edit /etc/fstab to make it contain the following line
/dev/mapper/crypto_LUKS /home ext4 defaults 0 2
2.3 Edit /etc/mkinitcpio.conf and make the HOOKS= line contain encrypt, keyboard, keymap and consolefont like this:
HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard keymap consolefont)
2.4 Edit /etc/default/grub and make the line with GRUB_CMDLINE_LINUX_DEFAULT= contain cryptdevice=/dev/nvme0n1p4:crypto_LUKS
2.5 Create new initramfs and update Grub
sudo mkinitcpio -P
sudo update-grub
Restore the backup
sudo mount /dev/mapper/crypto_LUKS /media
sudo cp -a /mnt /media
Reboot
4.1 Check the mount points, the output looks like this:
~ >>> mount | grep /home
/dev/mapper/crypto_LUKS on /home type ext4 (defaults)
If the LUKS device is mounted on /home, then the configuration changes got applied successfully.
4.2 You should mount the partition which contains the old $HOME folder and delete it in a secure way (maybe you need to install the package wipe)
sudo mount /dev/nvme01p3 /mnt
wipe -rfi /mnt/home/*
