I have a 2TB NVMe drive (which is regularly backed up to an external drive) and I want to have a partition scheme that satisfies the following:
- Both of my big partitions (/boot is not a must) have to be encrypted
- / should be a separate partition since I will probably mess up my system every now and then and thus, will have to reinstall it occasionally
Since grub needs >20sec to decrypt a single partition (and I have to have 2 encrypted partitions), I decided to go for an unencrypted boot for now. Systemd-boot apparently just needs 1 sec to decrypt, but this is only available via manjaro architect (which is unmaintained and unavailable to dl right now) and I’m a noob with too little time atm (I have exams soon… )
So I came to think of two schemes:
Scheme 1: Have an encrypted / and an encrypted /home partition
- No need to copy /home back over from my backup drive after a fresh system install to /
- All personal (i.e. “non system”) data is on a single partition
- Somehow feels like the nicer approach
More difficult to set up and have it work comfortably after a fresh install of both partitions:
I have to enter 2 passwords at boot time - unless I find out how to use keyfiles which would allow to make /home automatically mount after I typed in the password for / (however, this seems doable for me with a little reading)
Way more difficult to set up after a fresh install of / when there is already data on the /home partition:
I’ve already tested this scenario and created the mentioned partition scheme, then deleted / and reinstalled Manjaro on it. Then, I tried to make the “old” /home partition my new /home partition. But since this obviously is not remotely as easy as with an unencrypted /home (I think in that case one would simply need to add a single line to fstab), this was too difficult for me to figure out.
Scheme 2: Have an encrypted / and an encrypted independent data partition. I would then link my music, pictures and videos folders from the data partition to /home/Music, /home/Pictures, etc.
- Very easy to set up:
After the first boot I just click in the file manager on the encrypted data partition and select to remember the password. Then I only have to type in my password once per boot.
- Personal data is split across both partitions:
First part is in /home and the rest is in the data partition
Right now I would pick scheme 2 since it is way less complex and does not seem to have significant disadvantages.
Now, my questions: Did I miss something? Is any of the above schemes maybe really stupid or way superior to the other one because of things I haven’t thought of?
Big thanks in advance!