I'm somehow new to disk encryption techniques in Linux, but I have the basic notions about encryption. Here my conditions:
- I need to have "full disk encryption", including "/", not just "/home".
- I don't need /home on a separate partition, I prefer just a single "/" and swap
- I need suspend/hibernate to work (yes, I know suspend is not safe, but I need it to work in rare cases where people won't steal my laptop)
- I want to do this using modern Linux distribution installers, so my option is basically LVM
- I know I'll need an unencrypted /boot partition
But the thing is: using distribution installers, I have the option to encrypt the Physical Volume (PV) but also to encrypt the Logical Volumes (LVs) inside the PV.
- Which one is better?
- If I just have encrypted Physical Volume, am I safe? Or does it just encrypt some kind of metadata (like a table containing pointers to the inner partitions) and not the file systems inside it?
- Is there any case where I'll want to have PV encryption + LV encryption? Explain.
LVM has many different abstractions (PV, VG, LV, PE), I'm afraid that by encrypting something I might be only encrypting some kind of metadata table and not the actual contents of my files. I tried googling this, but the howtos usually explain how to format your partitions but not the details I'm asking. I have the feeling that people just want to type some soft of password, even if they don't know what is actually being encrypted. The Linux Distribution installers don't help either (the only one that cares about writing random stuff to the disk before encrypting is Debian!).
What I did:
- Using OpenSuse installer, I created a physical partition on my disk and marked it as "encrypted". Then, I used it to create an LVM Group, and, inside it, I created unencrypted / and swap. Is this safe?
I'm still waiting the installation to finish. I'll need to discover how to try to break it after.
Thanks in advance.