I’m new to Manjaro, but have been using GNU/Linux for many years, and would like to use Manjaro as my main system from now on.
I would like to set up a system with / in plaintext and /home in ciphertext , encrypted and its integrity checked.
I’m mainly interested in these:
- / in plaintext due to performance concerns as I’m using relatively poor hardware. I would also be fine about a clean reinstall (from a trusted installation medium) preserving /home in case my computer is physically accessed by someone I don’t trust.
- Encrypted /home (via block devices, stacked filesystems or anything feasible)
- Integrity checks for /home .
Portability between various GNU/Linux distributions and across various machines.
I would like use Manjaro as my main distro , but still be able to mount Manjaro’s /home in other distributions too (I’m planning to keep the bulk of my data in Manjaro’s /home)
- High resilience to failures and power outages (which are common here, and I don’t have a UPS).
- I do not trust encryption provided by hard disk vendors (as it is generally closed-source, non-portable and may possibly contain backdoors).
- Supports resizing with negligible chances of data loss.
- High performance and low power consumption even on relatively poor hardware.
I’ve found the following options from Data-at-rest encryption - ArchWiki and many other places:
- Encrypt a partition with LUKS , then set up a BTRFS filesystem on top (for integrity checks).
- Use gocryptfs. (I don’t know how to automount /home with this)
- Use ZFS (I would like to avoid this, due to its relative instability and its licensing).
- Use systemd-homed (I would like to avoid this, due to its dependence on systemd and as it is not portable to MX/antiX systems using sysvinit).
I would like to set it up preferably with Manjaro’s GUI installer, or else using the command line.
I would also like to set up autologin along with /home encryption (so that I have to type my password only once).
Please guide me on the most appropriate method(s) for this, and please correct my shortcomings.
I have read related posts on this forum, and have understood that my problem is different from these (though I got many useful tips while reading them):