I have been using EndeavourOS for a few months now and want to switch to an encrypted installation without reinstalling EOS since this is my main PC and I have everything set up right now.
Mabe this Site can help you: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
Is it possible to prevent the computer from asking for the passphrase on bootup?
According to the wiki, the drive should be automatically decrypted on bootup, as long as the system hasn’t been tampered with see here.
But I suspect that what you mean is an auto-login specific to your DE/WM, I’d suggest consulting the documentation on you specific DE/WM. For KDE and Gnome this should be configurable in the user settings. (Although at that point your drive encryption may be a little pointless, but I leave that consideration up to you.)
What I was referring to was that from what I’ve heard, GRUB will ask for a passphrase before booting into EOS. (I personally use GRUB)
Ah I see. Yes that seems to be true. No idea if that can be avoided. But may I ask what your threat vector requiring an encrypted boot partition? I assume that your main concern is your laptop/ hard drive being stolen, in which case automatically unlocking your boot partition (which is the only part that will be protected by the password) makes the encryption pointless to begin with as far as I know…
The threat vector that I’m trying to avoid is someone just stealing my SSD, is there another way to combat that? (In software)
Well, to my understanding (again, not really an expert) if they only steal your SSD, the standard LUKS+Secure boot protection should protect you as far as I know. If the SSD is in a Laptop, you have to protect your secure boot option with a password and maybe (?) also encrypt the boot partition. No idea if that is the ultimate solution, I guess if someone really wants to crack that, they could, but who’s going to go through that trouble unless you know you have something really valuable on there (e.g. a bitcoin wallet; in that case you should probably consult an expert anyway)
tldr: LUKS+Secure boot is probably fine. Password protect your stuff (no auto-login) and I’d consider the few family photos and the likes of it save.
Is moving the /boot to a seperate partition required/a good idea?
No idea if that’s a “good” idea, but that’s how I’ve always set up my grub systems…
But in any case, I think I’m going to tap out here for someone more qualified to step in as I can’t really do more at this point than parrot whatever the Archwiki says…
Thanks, though.
To my knowledge
- there should no be way to avoid GRUB or system.d-boot asking for the pw and you entering
- there is an advantage of using an unencrypted boot partition: it can use LUKS 2 which is safer against some forms of attack; while the disadvantage is your kernel could in theory be manipulated;
- while when you whole-disk encrypt, meaning the EnOS and basically the Calamares way, your kernels are safe as an advantage because they are stored inside your system partiton. Still it’s LUKS 1 then only (disadvantage).
2.-3. do not answer your questin though…
I think that you can the keyfile somewhere using a usb drive as a means to decrypt like maybe here https://tqdev.com/2022-luks-with-usb-unlock or here https://bbs.archlinux.org/viewtopic.php?id=251889
But I guess you will still have to enter your password.
For your needs right now maybe consider KDE Plasma Vaults or VeraCrypt