Full disk encryption vs home directory encryption dual boot

I have a new laptop with Windows 10 already installed that I need to dual boot with EndeavourOS and I’m confused about encryption. There are a few Windows programs that won’t work in a virtual machine so unfortunately I have to have it running natively on the laptop. I’ve read a ton of articles and my head is spinning with so many different opinions.

I’m going to create 4 partitions:
/boot/efi
swap
/home
/

I want to protect my sensitive documents and photos stored on the /home partition.

Some say to encrypt every partition and some say this is overkill and just encrypt the /home partition.

Can someone who really understands this provide a simple explanation if I should do full disk encryption or just encrypt the /home partition? Thanks

Since Windows 10 is crap that now has WSL and access to Linux file systems - i’d say no dual boot + full disk encryption :upside_down_face:

I am not sure there is a simple explanation but there is a simple answer. Encrypt everything except boot/efi which is your EFI partition. That is the safest, simplest and most conservative answer.

If you want a longer answer, it just depends what you want to protect and how sensitive the information is.

If you encrypt only your /home. The end result is everything in /home will be encrypted but nothing else would be. For example:

  • Your swap partition which could contain portions of the files you have in memory or your command history. Or maybe even the password you use to decrypt that partition.
  • The home directory of the root user which could have sensitive information in it
  • Elements of cache
  • System configuration information
  • Lots of other stuff

In the end, the level of difficulty to encrypt all 3 partitions isn’t that much higher than encrypting just one so why not encrypt all 3 if you care about encryption.

2 Likes

There are a few programs on Windows 10 I have to use that won’t work in a virtual machine so it has to be installed.

@dalto you always give the best answers. This is great advice to not encrypt the /boot/efi partition and just do the other three. Very simple.

1 Like

I would say, just leave Linux, single boot, and forget about encryption IN ORDER to avoid data loss in case of hard drive failure or file system damage… All safe and you have no fears and no increased system load. I am running Endeavour OS as the main productive machine and had only slight issues. Just a ton better than Windows…

Encryption is something you either need/want or don’t. It doesn’t matter which OS you are running.

Disk-level encryption prevents your data from being accessed if your data gets into the wrong hands(physically). It protects you against things like physical theft or not wiping a drive before it is recycled.

1 Like

As noted above, there are a few Windows programs I have to use that don’t work in a Windows virtual machine so that isn’t an option. Also, if someone steals my laptop with Linux on it that doesn’t mean they can’t access the drives which is why they need to be encrypted.

1 Like

Has any new evidence come into the light recently that Windows has access to Linux file system by default without having enabled WSL? I am very much interested in this since one of our computers is a dualboot Win.Pro + Linux.

1 Like

I recommend not to, you can run into problems with encryption in case of file-system or hard-drive damage, like total data loss.

The alternative is your data can be stolen. It is all about which risk you are more concerned about.

Also, that is what backups are for.

1 Like

What is the risk you are concerned about? Most unencrypted Linux filesystems can be accessed via Windows, there are drivers available. Further, if someone compromised your machine, they could enable WSL.

1 Like

I read the statement of the poster as if Windows by default can access Linux file system. Without WSL enabled and no extra drivers installed. The machine I am talking about is pretty secure so I am not actually concerned. If the Windows is compromised then it is a whole another story I guess.

Not that i’m aware of any leak / hack so far, but in my opinion it’s just a matter of time - means are already there.

No point to risk.

@Luna

Which programs?
Maybe they’re wine-able :upside_down_face:

1 Like

Some of these laptops like mine come already encrypted with bitlocker. I took it off and put Linux only.

Conversely, if the Windows isn’t compromised, why would it matter?

To be clear, I don’t think dual-booting represents a significant risk as long as you use common sense security precautions on the Windows side.

1 Like

I have to use ProctorU to take exams: https://support.proctoru.com/hc/en-us/articles/115013144727-What-Operating-Systems-Devices-Are-Supported-

I see, not supported in the sense that there are exam cheating prevention mechanisms that actively prohibit running in a VM or via other means.

IMO, even if you could get it working in Wine, it wouldn’t be worth the risk in this particular case.

2 Likes

Yep…That’s showstopper :woozy_face:

2 Likes

This will be my take-away.
Thanks!