Ellen Papsch writes: > leaving /boot unencrypted allows attackers to plant malware relatively > easy. They can mount the partition without ado and replace the kernel > with a malicious one. How can you do that if the root partition is encrypted? > On a more serious note and to answer your question, unencrypted /boot > is an option. Another is to have a key file on an external medium. This > doesn't avoid the second wait. The long wait may be due to --iter-time > option to cryptsetup luksFormat. I haven't looked what the default is > in Guix. The Grub decryption code is also purported to be slow [no > source]. Thanks for the hint, I'll look into it. > For a long time I personally used root encrypted systems and found the > hassle not worth it. Encrypting /home and external hard drives should > cut it. If you suspect the machine has been tampered with, don't boot > don't touch it. Even the hard disk firmware may have been modified. My main motivation is that if my laptop gets stolen or lost, I don't want anyone to access my personal data. Encrypted /home is fine for this purpose. By the way, is it possible to use the user password to unlock the $HOME partition? > Don't think you are in danger of being targeted? Well, you already are! > Your mail often gets into my spam folder because of "suspicious TLD > .xyz". That should be very telling ;-)) Yup, this has been a hassle for a while... :( -- Pierre Neidhardt https://ambrevar.xyz/