Totally agree. I take it a step further and keep my /home on a separate encrypted M.2, and my /boot on an old 256GB SSD. That setup lets me fully encrypt root while keeping /boot accessible. I use grml-rescueboot to add ISOs to the GRUB menu and the extra space on /boot is handy.
It’s been a while, but I remember encrypting just the home folder used to break SSH key auth unless the user was already logged in locally, because their .ssh/authorized_keys file wasn’t available. Pre-shared keys make scp and tab completion really convenient, so that was kind of a pain.
Totally agree. I take it a step further and keep my /home on a separate encrypted M.2, and my /boot on an old 256GB SSD. That setup lets me fully encrypt root while keeping /boot accessible. I use grml-rescueboot to add ISOs to the GRUB menu and the extra space on /boot is handy.
It’s been a while, but I remember encrypting just the home folder used to break SSH key auth unless the user was already logged in locally, because their .ssh/authorized_keys file wasn’t available. Pre-shared keys make scp and tab completion really convenient, so that was kind of a pain.