About 30 minutes ago I decided that I wanted to use full disk encryption on my Arch Linux installation. My setup would be something simple (I'm not looking for plausible deniability or protecting my information to any extreme degree). It would effectively look like this:
/dev/sda1 -> encrypted root partition (home, var, everything)
/dev/sdb1 -> un-encrypted boot partition
As a laptop user, I want things to be rather convenient, but I still want to maintain at least a basic level of encryption. My setup then is that the OS will be placed on a fully encrypted single partition as I'm too lazy to setup LVM or the like, and that partition will hold the LUKS header (so no plausible deniability of encryption) which will store a single password based LUKS key. The disk itself will not know how to boot.
The boot partition will be stored on a separate, un-encrypted USB stick. This stick will need to be plugged in each time the machine boots, and will also need to be present for any upgrades which deal with kernel images or the bootloader (GRUB in my case). By doing so, a person would need to have the physical USB stick as well as know the password (or execute some variety of an evil maid attack).
Would it make things safer? Not necessarily, but then again this is more of a learning experience than an actual data privacy guarantee.
The actual process was not that hard. The Arch Wiki has a page on dm-crypt setup for a very simple layout. One can follow all of the simple layout steps except that boot should be created on a separate USB stick instead of the internal hard disk. It will only take about 30 minutes to do from the beginning of the install to restoring all of my system information from Git repositories and re-downloaded packages (not accounting the time it may take to erase and encrypt the drive).
========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?
Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com
Follow my FaceBook Page
Follow my Google+ Page
=========================