You are viewing a single comment's thread.

view the rest of the comments →

0
3

[–] VimTsar 0 points 3 points (+3|-0) ago 

On Linux you can encrypt everything except /boot partition, which contains kernel and typically bootloader files. Good news is that you can move this partition along with bootloader to flash/sdcard and carry it with you to prevent bootkit attacks.

Partitions are still having LUKS(linux encrypted) headers, which tells what kind of OS and type of encryption is used. LUKS supports storing header externally (for example on afforementioned external storage) but it's not supported by lot of tools and system apllications (for example systemD didn't support external header, not sure about now) and might complicate recovery in case of problems.

Also on OpenBSD FDE is supported only with bootloader needing to readable. Proprietary OSes open too much potential holes/backdoors, so encryption against serious adversary is futile and against non-serious one encryption of user account should be enough.

Further detail for example: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system