Totally agree. I take it a step further and keep my /home on a separate encrypted M.2, and my /boot on an old 256GB SSD. That setup lets me fully encrypt root while keeping /boot accessible. I use grml-rescueboot to add ISOs to the GRUB menu and the extra space on /boot is handy.
It’s been a while, but I remember encrypting just the home folder used to break SSH key auth unless the user was already logged in locally, because their .ssh/authorized_keys file wasn’t available. Pre-shared keys make scp and tab completion really convenient, so that was kind of a pain.
At what point does an encrypted /home partition or LVM Volume or Drive get decrypted? Toward the end of the OS booting? I played with an encrypted LUKS single partition setup that asked me before the OS visibly booted.
Totally agree. I take it a step further and keep my /home on a separate encrypted M.2, and my /boot on an old 256GB SSD. That setup lets me fully encrypt root while keeping /boot accessible. I use grml-rescueboot to add ISOs to the GRUB menu and the extra space on /boot is handy.
It’s been a while, but I remember encrypting just the home folder used to break SSH key auth unless the user was already logged in locally, because their .ssh/authorized_keys file wasn’t available. Pre-shared keys make scp and tab completion really convenient, so that was kind of a pain.
At what point does an encrypted /home partition or LVM Volume or Drive get decrypted? Toward the end of the OS booting? I played with an encrypted LUKS single partition setup that asked me before the OS visibly booted.
Generally during the mounting process, which is pretty early on at the OS boot process.