I recently switched from Windows to Linux and really liked how encryption worked there, especially using TMP and just entering my pin at login. On Linux, I see I have to choose between encrypting just my home folder or going with full disk encryption where I need to enter a password before booting up my operating system (I'm looking at LUKS). While I don't have anything super secret to protect, I still want my files encrypted in case my computer gets stolen or if I decide to do something shady in the future. I'm unsure if encrypting only my home folder would be sufficient. If I only encrypt my home folder, would anyone with access to my hard drive be able to see which applications I've installed? Could they figure out what files those apps have accessed, like a file containing my 'super-secret-deviant-thoughts'? What if I have a messaging app or something else that creates files—would those be safe? Just trying to get a handle on what would be best for me.
2 Answers
Why not do both? I’ve got a setup where I use Btrfs in a LUKS2 container—with the TPM2 and Secure Boot for unlocking. My root directory is set up as a subvolume, and my home folder is encrypted at rest, managed with systemd-homed. Plus, I require my fingerprint before unlocking my home filesystem, which is super secure.
Yeah, if you only encrypt your home folder, anyone with access to your hard drive could see which apps you’ve installed. They wouldn't see what you opened directly, but recent file lists are stored in your home, so that could expose some info. However, any logs (like 'opening super-secret-deviant-thoughts.txt') in /var/log would be visible. So, files that apps create in your home folder are safe, but for better security, you might just want to go all out and encrypt everything. It means entering your password twice at boot, but it’s honestly not that big of a deal.
As long as your EFI bootloader can unlock the root or boot partition, everything should operate smoothly.