Full disk encryption vs home directory encryption dual boot

Luna · May 9, 2021, 2:14pm

I have a new laptop with Windows 10 already installed that I need to dual boot with EndeavourOS and I’m confused about encryption. There are a few Windows programs that won’t work in a virtual machine so unfortunately I have to have it running natively on the laptop. I’ve read a ton of articles and my head is spinning with so many different opinions.

I’m going to create 4 partitions:
/boot/efi
swap
/home
/

I want to protect my sensitive documents and photos stored on the /home partition.

Some say to encrypt every partition and some say this is overkill and just encrypt the /home partition.

Can someone who really understands this provide a simple explanation if I should do full disk encryption or just encrypt the /home partition? Thanks

keybreak · May 9, 2021, 1:55pm

Since Windows 10 is crap that now has WSL and access to Linux file systems - i’d say no dual boot + full disk encryption

dalto · May 9, 2021, 2:20pm

I am not sure there is a simple explanation but there is a simple answer. Encrypt everything except boot/efi which is your EFI partition. That is the safest, simplest and most conservative answer.

If you want a longer answer, it just depends what you want to protect and how sensitive the information is.

If you encrypt only your /home. The end result is everything in /home will be encrypted but nothing else would be. For example:

Your swap partition which could contain portions of the files you have in memory or your command history. Or maybe even the password you use to decrypt that partition.
The home directory of the root user which could have sensitive information in it
Elements of cache
System configuration information
Lots of other stuff

In the end, the level of difficulty to encrypt all 3 partitions isn’t that much higher than encrypting just one so why not encrypt all 3 if you care about encryption.

Luna · May 9, 2021, 2:01pm

There are a few programs on Windows 10 I have to use that won’t work in a virtual machine so it has to be installed.

Luna · May 9, 2021, 2:04pm

@dalto you always give the best answers. This is great advice to not encrypt the /boot/efi partition and just do the other three. Very simple.

ycom1 · May 9, 2021, 7:46pm

I would say, just leave Linux, single boot, and forget about encryption IN ORDER to avoid data loss in case of hard drive failure or file system damage… All safe and you have no fears and no increased system load. I am running Endeavour OS as the main productive machine and had only slight issues. Just a ton better than Windows…

dalto · May 9, 2021, 2:10pm

Encryption is something you either need/want or don’t. It doesn’t matter which OS you are running.

Disk-level encryption prevents your data from being accessed if your data gets into the wrong hands(physically). It protects you against things like physical theft or not wiping a drive before it is recycled.

Luna · May 9, 2021, 2:11pm

As noted above, there are a few Windows programs I have to use that don’t work in a Windows virtual machine so that isn’t an option. Also, if someone steals my laptop with Linux on it that doesn’t mean they can’t access the drives which is why they need to be encrypted.

pebcak · May 9, 2021, 2:12pm

Has any new evidence come into the light recently that Windows has access to Linux file system by default without having enabled WSL? I am very much interested in this since one of our computers is a dualboot Win.Pro + Linux.

ycom1 · May 9, 2021, 2:14pm

I recommend not to, you can run into problems with encryption in case of file-system or hard-drive damage, like total data loss.

dalto · May 9, 2021, 2:17pm

The alternative is your data can be stolen. It is all about which risk you are more concerned about.

Also, that is what backups are for.

dalto · May 9, 2021, 2:20pm

What is the risk you are concerned about? Most unencrypted Linux filesystems can be accessed via Windows, there are drivers available. Further, if someone compromised your machine, they could enable WSL.

pebcak · May 9, 2021, 2:26pm

I read the statement of the poster as if Windows by default can access Linux file system. Without WSL enabled and no extra drivers installed. The machine I am talking about is pretty secure so I am not actually concerned. If the Windows is compromised then it is a whole another story I guess.

keybreak · May 9, 2021, 2:38pm

Not that i’m aware of any leak / hack so far, but in my opinion it’s just a matter of time - means are already there.

No point to risk.

@Luna

Which programs?
Maybe they’re wine-able

ricklinux · May 9, 2021, 2:41pm

Some of these laptops like mine come already encrypted with bitlocker. I took it off and put Linux only.

dalto · May 9, 2021, 2:47pm

Conversely, if the Windows isn’t compromised, why would it matter?

To be clear, I don’t think dual-booting represents a significant risk as long as you use common sense security precautions on the Windows side.

Luna · May 9, 2021, 2:48pm

I have to use ProctorU to take exams: https://support.proctoru.com/hc/en-us/articles/115013144727-What-Operating-Systems-Devices-Are-Supported-

dalto · May 9, 2021, 2:50pm

I see, not supported in the sense that there are exam cheating prevention mechanisms that actively prohibit running in a VM or via other means.

IMO, even if you could get it working in Wine, it wouldn’t be worth the risk in this particular case.

keybreak · May 9, 2021, 2:52pm

Yep…That’s showstopper

pebcak · May 9, 2021, 3:21pm

This will be my take-away.
Thanks!