[mxvzr]

Encrypting the home directory ensures the privacy of your data should someone get his hands on your machine. Under the same scenario, full disk encryption would also gives you the guarantee the system hasn't been tampered with.

[klodolph]

That's profoundly incorrect: full disk encryption provides no guarantees that your system has not been tampered with. I don't see how that would even be possible.

[mxvzr]

If the machine is turned off and only the home directory is encrypted, I am at liberty to patch the kernel or binaries, update your package manager or dns settings, or anything in between really. I can do none of that with FDE (assuming I don't already know the key of course).

What am I missing here?

[eikenberry]

Once "they" have your machine you have to assume it is compromised. If they have the ability to install kernel patches or custom binaries, they most certainly have the ability to install monitoring hardware and/or modify your bios. That is, no matter what you encrypt your machine is compromised and your only recourse is to recover the encrypted data and move on to a new system. Here "they" is someone who would take your machine, modify it, and get it back to you maybe without your knowing.

If you are just concerned with identity thieves and basic asset protection then as long as that stuff is encrypted you are fine, whether that is whole system, home directory, ~/Private directory, or just those specific files.

[klodolph]

It can't be turtles all the way down. If you encrypt /, then you're still not encrypting the kernel and I win. If you encrypt the kernel, then you're still not encrypting GRUB and I win.

There's no way to prevent anyone from tampering with your system, or even to make any tampering evident. The best you can do is a cost-benefit analysis and risk analysis of the different options.