mjhjmtu

I am currently installing a Debian distro on a new desktop computer and I am looking for pros/cons arguments for two ways of making the partition table (in matter of performance and security). My new computer has 16GB of RAM and a 500GB SSD (this should be enough for the specs).

First, I have a requisite which is to encrypt the working files. So, my first choice would have been:

#1 800 MB EFI
#2 300 MB ext4 /boot
#3 ..all.. crypto (sda3_crypt)

LVM Encrypted (sda3_crypt)
#1 10 GB swap
#2 80 GB ext4 /
#3 ...all.. ext4 /home

We need to encrypt the swap in order to be sure to not leak any cryptographic data if we occur to use it. In fact, this is enforced now by the Debian installer.

But, then, I assumed that the system itself may be left unencrypted (I am not very happy with encryption everywhere even on my desk...). After all, only /home is interesting.

So, the other alternative (my favorite one for now) is to leave the system unencrypted (only the /home is). I guess it might add some security issues but I could not see any yet and I guess that will improve the efficiency. This second way of doing should look like this:

#1 800 MB EFI
#2 80 GB ext4 /
#3 ..all.. crypto (sda3_crypt)

LVM Encrypted (sda3_crypt)
#1 10 GB swap
#2 ...all.. ext4 /home

So, did I miss something in matter of security ? Knowing that the adversary model is supposed to be the 'evil maid' that may be able to access physically the machine and possibly steal it while it is still switched on.

What kind of security breaches am I exposed to if I consider the second way to do ?

Finally, I will make sure that I have set up a /tmp mounted through tmpfs on the RAM. To prevent any critical write on the unencrypted part of the system.

Your first approach appears to encrypt everything except /boot; your second approach encrypts only swap & home.

I suggest encrypting everything. I believe Debian can handle even /boot being encrypted nowadays (with grub prompting for a passphrase).

There are a few big advantages to encrypt everything:

Security. It's far too easy for data to accidentally leak outside of /home. You thought of /tmp; there is also /var/tmp. And, depending on the programs you use, each has its own spot in /var — e.g., you put some data in MySQL, and oops that was /var/lib/mysql. Did you also remember mail in /var/mail and /var/spool/exim? or the print spool in /var/spool/cups (if you use CUPS; elsewhere with other print systems)? Or /var/log can easily come to contain sensitive data. Encrypt everything and this can't happen.

Flexibility. Splitting it is forcing you to pick how much space to allocate to / vs. /home. If you get that wrong, with that setup, changing it will be difficult. With everything inside LVM, its much easier to change (and with one filesystem, you aren't forced to even decide on a split).

Downside. An encrypted system is a tad bit slower, but I doubt it'll be noticeable on a PC made in the last, say, decade.

BTW: For your evil maid attacks, you need to make sure the machine is always locked when you're not there, and do things to lock down the boot sequence (e.g., firmware/BIOS password & grub password), physical tamper indicators on the case, somehow prevent hardware key loggers from being added (or keyboards being replaced), etc. That is a hard scenario to secure against.