I will make some tests in a vm by defining at least 2 different passphrases, one for root, one for home.
In my installation, two keyslots are used by default in the partitions encrypted at installation, i guess there is one for a passphrase and one for a keyfile.
For sure, both keyfile and passphrase are required in the boot process for root partition, i wonder if this is also the case for home and storage partition, as a crypptab is used and there are 3 entries in it, one for each container.
My comment is not targeting having the content of /home on a separate partition.
I wouldnāt move the content of /home but rather individual content.
If an encrypted /home/username is desired the systemd-homed is better suited for that - see systemd-homed - ArchWiki
Yes, i know @openminded topics, they are interesting. I wanted to test his tutorial for a long time but did not find the time to do it 
also because no knowledge about luks things at all as you can notice.
I see, i used to have a separate home partition. One time i messed up my root by using btrfs srub. I was happy to have a separate home partition, i tell you
So did I - but - over time - I learned that moving content and symlinking it back was a much more flexible solution.
I have a couple of scripts to do the heavy lifting - e.g. Documents is removed an replace with a symlink to my Documents - which is on a separate partition.
Interesting indeed, and more flexibe as you said for backup purpose
I would always thinking twice before i do a full disk encryptionā¦ specially the root/home/boot.
I mean it can make sense for sure, but how it does protect your files? Only when your Device is Physically stolen while it was shutdown.
Thatās why i prefer to have partitionās encrypted where the access is not always needed.
I hope you aware, that using a boot encryption feature that you could run into additional bugs in some situations, where a boot failure requires more skill do fix a problem.
I just want to let you know that using full disk encryption are sometimes (on a Laptop as example) are usefull while in other usecases not really needed and donāt give much protection.
When the files always unencrypted anyways when you have access to them in the moment where you boot into Linux.
Yes, after years of unencrypted partitions. I want to dig into encrypted partitions until i find the āidealā encryption strategy.
My current encryption scheme is not perfect and certainly not ideal for many cases for sure. But, thatās what i need at the moment, in case my disks are stolen.
Maybe, an unencrypted separate boot partition would have been a better choice as i realize it as my system is now very slow to boot up
How do you do concretely if you could sum up your system ?
Thanks
I use only Veracrypt for around 10years and im very happy with that.
There are very smart optionās that this programās has, like a hidden space file, very sneaky if you ask meā¦ Next level James Bond, but also very dangerous if you write to much space on your free space from your HDD/SSD this encrypted/hidden space gets automatical overwritten and you have a problem then.
But im just using separated full encrypted partitions.
So when i browse or gaming (Steam, Anti Cheat or EGS from UE4 and UE5 games) or when i open other programās like Discord that i donāt really trust because of their telemetry.
All my files are protected at this moment, so you should splitt your files between how much you use them and how private they really are.
Edit: Maybe cherry picking, but i would also disable TPMā¦ i donāt trust this Chip to store my Local Passwords and send them around the world. 
This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.