howto: ? Q: new Debian bookworm full disk encryption install?

[hanasaki]

I would appreciate your help on the installation of a new KDE system with full disk encryption?
Including:

• How to get full disk encryption. What I have found indicates the /boot partition is not encrypted when installing from Debian live ISO boot. My plan is to have a boot partition and a root partition instead (not boot as a subdir in a single / partition mount)
• What encryption selections are more / less secure and just how "secure" they are
• How to change / update the disk encryption password
• How to do recovery on systems that have full disk encryption

Thank you all for your help in advance.

[Uptorn]

The disk partitioning option "Setup encrypted volume with LUKS" is the most complete option at the moment.

Yes, it leaves /boot unencrypted, but IIRC grub is not yet compatible with LUKS2.

The next best thing you can do for now is

• Setup a grub passphrase with grub-mkpasswd-pbkdf2
• Hide the grub splash screen with GRUB_HIDDEN_TIMEOUT parameter settings
• Monitor changes to the boot partition with tools like tiger or tripwire

[hanasaki]

• Grub and LUKS2 in fail to work together. I found references to rolling back to LUKS1 and using that with Grub to encrypt /boot Not sure what that does to the size, or hardness of the attack surface. It still leaves the EFI fat32 partition unencrypted /// So how vulnerable is this setup?
• I recall a, several years old, option of Debian live that allowed the admin to choose what type of encryption algorithm LUKS would employ. The system I just setup picked all these finer details for me without an option to choose them myself. I would like to be able to choose them myself or at least transform the created system into one using other option.
• alternatively to using the Debian support for LUKSv2, how secure and robust is the ext4 and btrfs built-in encryption? How well integrated with gnome,kde,cinnamon, xfce?

[pbear]

How to get full disk encryption.

There's a simple answer to this now. Download the Live ISO and use the Calamares installer. Its default FDE encryption leaves /boot on the encrypted system partition and handles Grub setup for you. IOW, no more boot-partition-in-the-clear, exposed to tampering. Take that, Evil Maid! Power users can do the same thing manually (more options), but I've never tried.

What encryption selections are more / less secure and just how "secure" they are

Secure against what? Bear in mind, encryption does nothing once the system is booted. Who or what are you worried about accessing the machine when shut down?

How to change / update the disk encryption password

Please do an internet search, e.g., luks change password. Would be much faster than my typing it up for you.

How to do recovery on systems that have full disk encryption

Recover from what? Makes a difference, btw, whether LVM (logical volume management) is in the mix. Standard installer uses it, Calamares does not. Anyhoo, broadly speaking, you decrypt the system partition from a live session, mount /dev/mapper file systems, set up a chroot, and effect the repair there. I strongly recommend practicing in a test box (VM or full install USB drive) before encrypting your daily driver.

Caveat: I've dabbled in system encryption out of curiosity and set up several test boxes with it. Don't use on my main system and don't recommend. Repairing an encrypted system is complicated and requires first rate CLI skills. Encrypting data is another matter. That's often appropriate, though best reserved (imho) for files which actually need it.