What do you think of these two encrypted partition schemes? - Should I use "/ and /home" OR "/ and data partition"?

Support
,
1

Hi,

I have a 2TB NVMe drive (which is regularly backed up to an external drive) and I want to have a partition scheme that satisfies the following:

  1. Both of my big partitions (/boot is not a must) have to be encrypted
  2. / should be a separate partition since I will probably mess up my system every now and then and thus, will have to reinstall it occasionally

Since grub needs >20sec to decrypt a single partition (and I have to have 2 encrypted partitions), I decided to go for an unencrypted boot for now. Systemd-boot apparently just needs 1 sec to decrypt, but this is only available via manjaro architect (which is unmaintained and unavailable to dl right now) and I’m a noob with too little time atm (I have exams soon… :frowning:)

So I came to think of two schemes:

Scheme 1: Have an encrypted / and an encrypted /home partition

Advantages:

  • No need to copy /home back over from my backup drive after a fresh system install to /
  • All personal (i.e. “non system”) data is on a single partition
  • Somehow feels like the nicer approach

Disadvantages

  • More difficult to set up and have it work comfortably after a fresh install of both partitions:
    I have to enter 2 passwords at boot time - unless I find out how to use keyfiles which would allow to make /home automatically mount after I typed in the password for / (however, this seems doable for me with a little reading)
  • Way more difficult to set up after a fresh install of / when there is already data on the /home partition:
    I’ve already tested this scenario and created the mentioned partition scheme, then deleted / and reinstalled Manjaro on it. Then, I tried to make the “old” /home partition my new /home partition. But since this obviously is not remotely as easy as with an unencrypted /home (I think in that case one would simply need to add a single line to fstab), this was too difficult for me to figure out.

Scheme 2: Have an encrypted / and an encrypted independent data partition. I would then link my music, pictures and videos folders from the data partition to /home/Music, /home/Pictures, etc.

Advantages:

  • Very easy to set up:
    After the first boot I just click in the file manager on the encrypted data partition and select to remember the password. Then I only have to type in my password once per boot.

Disadvantages:

  • Personal data is split across both partitions:
    First part is in /home and the rest is in the data partition

Right now I would pick scheme 2 since it is way less complex and does not seem to have significant disadvantages.

Now, my questions: Did I miss something? Is any of the above schemes maybe really stupid or way superior to the other one because of things I haven’t thought of?

Big thanks in advance! :two_hearts:

2

Take your time and do a manual install (if you can)
separate /boot partition, unencrypted

The decryption time will not be an issue anymore.
It’s only relevant when Grub (the boot loader) is tasked to do the decryption.
… not the case when /boot is not encrypted

Unfortunately, Manjaro’s installer (Calamares) cannot handle this as of now.

for what it’s worth:
I do not run Manjaro
but Arch, installed through the Archlabs installer
which was capable of doing this
but at the moment, this installer needs an update and will not work the same way as it used to …
(last checked two weeks ago …)

but when using this, you’ll end up with Arch - not Manjaro
just saying …

3

Both schemes are a manual install! :slight_smile:

The question just is: which one to pick?

4

the decision is entirely up to you :wink:
…
but, no:
the Archlabs install is not what I’d call a “manual install”

text driven interface
quite different to Calamares
(but) quite good - easy to work with

but - it does not work at the moment - last time I checked at least

even though it will likely be considered … inappropriate here
I’d always pick Arch …
which Archlabs … just is :wink:

5

I’d just have 3 partitions: /boot, / and /home. No need to symlink. I used to have symlinked folders from a data partition to /home, but then I just tried mounting /home from a different partition and it’s a lot simpler.

Regarding encryption, I don’t use it, but if I did, I’d just encrypt /home. That’s where the juice is. If someone steels you computer, what can they get from the root partition? Unless you are in danger of someone undermining your system to spy on you, I don’t see the need to encrypt root. Currently, I have sensitive files individually encrypted instead.

1 Like