My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

  • sudo@programming.dev
    36·
    18 days ago

    The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you “decrypt on login”. Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.

    Unless your laptop somehow has multiple drives you’ll want to use the “LVM on LUKS” configuration. 1 small partition for /boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.

    This will require wiping your system and reinstalling so you have some reading to do.

    The arch-install script in the live iso has options for full disk encryption.

    If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.

    You need a swapfile for hibernation so make sure its inside the LUKS container.

    • Leaflet@lemmy.worldEnglish
      9·
      18 days ago

      There is a way for just your home folder to be encrypted, Linux Mint has it as an option.

      • sudo@programming.dev
        5·
        18 days ago

        Looks like they use eCryptFS. Never heard of it before so thats neat. I can see using it on systems where you can’t reinstall the system with Dm-crypt but it most cases I suspect Dm-crypt is a better alternative.

        Idk if its faster or slower than Dm-crypt.

    • JubilantJaguar@lemmy.world
      3·
      18 days ago

      To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.

      The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.

      Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.

      • cspiegel@lemmy.world
        2·
        17 days ago

        openSUSE also has a simple FDE setup. Just check a box and enter a passphrase during install. It’s not default, but it’s about as easy as possible to set up.

        • JubilantJaguar@lemmy.world
          1·
          17 days ago

          Useful to know, thanks.

          For the record, I once had a bad experience with the Debian installer’s version. That is why I will not be trying Debian again. Installation is a moment of vulnerability, when you don’t have ready access to your data, or the network, and this is one extra factor. IMO it really is non-negotiable for a distro to provide a bulletproof installation experience.

      • jwt@programming.dev
        6·
        18 days ago

        Keep in mind an unencrypted /boot partition still leaves you open to an evil maid attack. I’m not really paranoid (or interesting) enough that I feel the need to take measures to prevent those kinds of attacks, but your situation may differ.