For my thief threat model, I just have the computer in an unassuming black Node304 in a utility room on a shelf lol. Security through obscurity is often as good for a smash and grab threat. They go for visually high value items.
Entire boot partition with main drive keys on a removable hard drive with security keys for the data drives in an encrypted password manager. No way a theif is getting that data, even if I accidentally leave the boot drive in there out of laziness. That means that I am comfortable storing personal documents there also.
It is indeed more of a hassle to reboot. USB plugged in -> decrypt and setup zpools script -> docker service restart. Specifically upgrading the kernel also because with the boot partition removed, all of the hooks don’t get processed. However, this also protests against the copyright gangster smash and grabs as a bonus. Probably an extreme edge case as that doesn’t happen anymore here in Belgium, but it was interesting to set up.
For my thief threat model, I just have the computer in an unassuming black Node304 in a utility room on a shelf lol. Security through obscurity is often as good for a smash and grab threat. They go for visually high value items.
Entire boot partition with main drive keys on a removable hard drive with security keys for the data drives in an encrypted password manager. No way a theif is getting that data, even if I accidentally leave the boot drive in there out of laziness. That means that I am comfortable storing personal documents there also.
It is indeed more of a hassle to reboot. USB plugged in -> decrypt and setup zpools script -> docker service restart. Specifically upgrading the kernel also because with the boot partition removed, all of the hooks don’t get processed. However, this also protests against the copyright gangster smash and grabs as a bonus. Probably an extreme edge case as that doesn’t happen anymore here in Belgium, but it was interesting to set up.