On 5/7/25 12:39 PM, Anna wrote: > Hi! I'm not satisfied with my partition layout, so I'm considering > changing it. It currently looks like this (/dev/sda and /dev/sdc are > SSDs, /dev/sdb is HDD): > > $ lsblk -A -o NAME,MODEL,SIZE,FSUSED,MOUNTPOINT,FSTYPE > NAME MODEL SIZE FSUSED MOUNTPOINT FSTYPE > sda Samsung SSD 850 120GB 111,8G > ├─sda1 128M 36M /boot vfat > ├─sda2 45G 40,1G / ext4 > └─sda3 66,7G 50,5G /home xfs > sdb SAMSUNG HM321HI 298,1G > └─sdb1 298,1G 13,1G /mnt/storage ext4 > sdc Micron_1100_MTFDDAK256TBN 238,5G > promise_fasttrack_raid_member > ├─sdc1 39,1G 27,3G /var xfs > └─sdc2 199,4G 144,5G /home/cyber xfs > > It's currently full of ugly workarounds: at least 20G belong in /var > rather than /home. > > My wishes for the new layout are: > > * Encrypted /home partition. The rest of the system should stay > unencrypted so it could be restarted by someone else without my > intervention. > > Though if /home is not decrypted right after reboot, it will lead to > failed mail delivery to maildirs, until I decrypt it. > > * Flexibility. I don't want to face this ugly situation again. > > If I had only one disk, I'd just make one big root partition. But > there are two SSDs, and I could need more than the smallest (111,8G) > disk allows to fit. I could combine them into singe logical partition > using LVM. > > If I decide to proceed with LVM, XFS will be a bad choice because it > cannot be shrinked. So I'll need a different filesystem, like ext4, > Btrfs or maybe even ZFS? > > Booting without initramfs will not be possible anymore, so I'll likely > need more disk space (how much?) for /boot, which can not be a logical > partition if I wish to continue using EFI stub kernels.
Grub supports LVM, and also supports xfs/btrfs/ext4.
So in theory you can have a 2mb EFI partition -- hugely overkill as
grubx64.efi is only about 200kb but best to stay on the safe side to
give room for future growth.
That will then mount your / partition and read the kernel from the /boot
directory.
I do this with grub + btrfs, I do not use LVM so can't speak from
experience there.
My EFI partition is fat12 due to fat32's minimum filesystem size. The
UEFI specification says that fat12 has to be supported ("for removable
media" -- weird distinction) and I've never had an issue with it but I
can't make promises about every UEFI implementation's spec conformance.
Avoid zfs due to the data corruption bugs. Portage in particular tends
to stress-test filesystems and regularly uncovers zfs bugs that result
in broken packages.
> And the last question: is there point in Secure Boot without FDE?
Secure Boot can prevent unauthorized code running at boot. It doesn't
protect against thieves removing the drive and mounting it as an
external drive on their own system, then doing anything they want with
it, including exfiltrating data or modifying /bin/bash with malware.
If your threat model is not concerned with physical attackers or not
concerned with physical attackers bringing their own hardware then it is
possible that Secure Boot does something to protect against what you're
worried about -- you'll have to answer that yourself.
--
Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
