Hi Guys, I am sorry if this question has been asked somewhere else.
I did search but could not find anything to directly relate.
I have no real linux/unix knowledge at all, so please forgive me for my lack of knowledge, and if I have misunderstood things.
I am interested in ordering a new Librem 15 laptop, but am struggling with a particular issue.
That issue is Full Disk Encryption.
As far as I have been aware, it is generally regarded that Full Disk Encryption is the way to go, if you are trying to go for the most secure setup.
I have been told that by default, the standard setup on machines shipped out, is that only the HOME partition is encrypted, which means that the ROOT and SWAP partitions etc are unencrypted, which is causing me some anxiety.
My understanding, and please correct me if I am wrong, is that if an attacker has physical access to the machine, they can read the unencrypted SWAP and ROOT partitions, and read off the filenames that I have been using and accessing on my encrypted HOME partition, as well as the file types, and file pathnames etc. So even though they cannot read the actual encrypted files on the Home partition, they can see a lot of information about those files…the filenames ,when last accessed, and the paths to the locations of the files.
If I had sensitive financial data, and the attacker was willing to torture me, I would have no plausible deniability to deny the existence of such files, as they could clearly see their existence, and so would have full incentive to force me to disclose the encryption password, to get access to the files on the encrypted Home partition.
However, if the SWAP and ROOT partitions were encrypted, then the attacker could not see any files information, and so could not prove the existence of such files.
This gives me plausible deniability, in the event of a physical attack, and so greater safety and security.
If I understand correctly, the new PureBoot setup in conjunction with the Librem Key, would enable the user to detect if any files had been changed on the unencrypted ROOT partition.
This would alert the user to a surreptitious attempt to install rogue files eg a Trojan or Virus.
However what I am thinking of, is not a surreptitious attempt to install files on the machine, but rather where the attacker has (possibly violently) assumed physical ownership of the machine and is now reading through the unencrypted partitions for clues and information.
If I understand correctly then, the PureBoot and Librem Key setup, will protect the machine from anonymous remote attacks, but the fact that the SWAP and ROOT partitions are unencrypted, gives a physical attacker a large attack surface, given that they have assumed physical control of the machine.
Am I understanding that correctly?
Or is there some facts I am missing?
I guess I am hoping that someone will tell me that the fact that the SWAP and ROOT partitions are unencrypted, does not give a physical attacker any more leverage, and that possibly they cannot in fact see the file names, paths, locations etc, given a physical hijacking of the machine. In which case, I do not need to worry about the other partitions being unencrypted.
Thanks Guys, I really really appreciate your help and any feedback and help.
It is quite possible my limited technical understanding has led me to completely misunderstanding things, and I am quite happy to be educated on where I am wrong.
Thanks again guys, and I really appreciate your help.
A Big Thanks!