* address@hidden <address@hidden> [2019-11-02 02:27]:
On my programming laptop, my entire disk is LUKS encrypted and has
been
since ~2005. Debian (and now Devuan (no systemd)) made it easy.
For me: There are countries which may even force you legally to give
out your encryption password for whatever reasons they may think. And
computer may be used by multiple people in same time. And sometimes I
often open up computer and wish to quickly find media, like videos or
images, to be presented to third parties over projector or face to
face. I don't like typing passwords under such circumstances. In fact
nobody needs to know that something is encrypted.
For that reason I am encrypting only swap /tmp and /home/data1, while
/home is separate partition that can be used without encryption, for
example by office staff or family members, which have data which may
need not be encrypted. There is also one decoy account of myself, so
would I open computer, I would get into normal unencrypted account,
which does not contain anything special inside.
Thus if computer is stolen there is no option on the screen to ask for
password. It is hard to say how there is pretty hidden partition that
is encrypted. But I think luks tools can tell it is luks partition.
In case of legal enforcement one could say that it was not encrypted
or that computer was purchased that way. It is hard to prove that
encrypted partition really would be under control of a person.
You do have to type in a password on boot, 20+ characters long
naturally.
The longer the better, the more convoluted, the more insane... the way
to
go.
Yes, as Digital Investigator for West Yorkshire Police write articles
like this:
https://articles.forensicfocus.com/2018/02/22/bruteforcing-linux-full-disk-encryption-luks-with-hashcat/
Jean