Mine is (to me) complicated, and takes a lot of time.
Ideally, I want to automate as much as I can to make it simpler at least.
I choose full disk encryption (I don't know if swap is covered, so I might
need dmdecrypt or something. Yet another thing to check).
Because other partial encryptions are just that, partial. Might as well not
other with those.
This in itself is long and complicated. I need an additional unencrypted
/boot folder, and make GRUB point at it. For the rest, I use Libreboot's
guide (which includes swap, so I shouldn't need dm-decrypt in theory). I also
need to not make a root user, create a username+passphrase, an encryption
passphrase, and maybe I forget one.
Then I choose to encrypt /boot, because either I encrypt everything, or I
don't. I want to try this, but that's another set of complex manipulations:
http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/
But that would be fine without taking backups into account, like here and
here (rather hard to understand):
http://linuxgazette.net/140/kapil.html
https://debian-administration.org/article/692/Look_before_you_leap_into_Disk_Encryption
Then I might want to update the kernel, which seems straightforward. But
that's yet another step. Not vital, but not to long.
The more extreme aspect would be to compile one with grsecurity.
The less complicated aspect would be to set up apparmor and firejail foor
every app.
I could try an additional bit for not having to type the decryption
passphrase twice (again, not easy even to understand):
http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/
And then there is the easier/fun part about installing software, which might
need a couple of tweaking.
Maybe after a month I can finish my install...
Else I can encrypt nor backup nothing and live dangerously, but have my
system running in half an hour.
I might want to setup a VM, just to run a browser with javascript when needed
(maybe Firejail/apparmor is enough for this).
So grsecurity aside, full disk encryption including /boot+backups seems
essential to me, yet very hard and long to do.
How do you do it (if you do it), and is there another way (scripts maybe)?
It's really a lot of hard work and time, but maybe I'm doing something wrong.
