[OJFord]

> Everyone should be using full disk encryption

Should they? Regardless of threat model? It's point and click easy on macOS (and probably Windows) so sure why not, but a bit more involved on Linux. I think encrypt a directory (ies) that actually warrants protecting is enough for most people, where the threat is casual even opportunistic theft rather than an organised, targeted attack.

[snazz]

I can't recommend directory-level encryption when full-disk encryption is so easy these days. It's a few clicks in the Fedora installer or a few commands with Arch Linux. It comes out of the box on new MacBooks and most new Windows laptops (although the more secure BitLocker option requires Windows 10 Pro).

Directory-level encryption is harder to set up and use—it requires typing your passphrase more often and makes you choose third-party software instead of using the features built into your operating system. Plus, lots of important files, like your browser's autofill information and other files that aren't considered "critical", are left wide open.

Encrypting your home directory is better than encrypting the "TOP SECRET" directory, but it's still just as hard as setting up full-disk encryption while being less effective.

[OJFord]

In my opinion, it's way harder (and riskier - screw it up and you can't boot, vs. login as a different user and fix it in the case of critical dir, or same user and fix it if not). The Arch Wiki pages are far longer and more off-putting than running whatever you want post-boot in PAM or even ad hoc or from systemd/.profile if it isn't home dir.

And what's the difference in what you're protecting that affects the average user? Why stop at FDE - they should be worried about cold-boot attacks too right!?

[0xdeadb00f]

> I think encrypt a directory (ies) that actually warrants protecting

My first thought as an adversary would be "Hey! This looks out of place! this guy must really want to protect whatever this is".

[kadoban]

Depends on the distro, but it's trivial in ubuntu-based and no harder than the rest of basic setup in arch (the only two I have recent experiece with). I'd argue that any distro where it isn't easy is a good reason to start looking elsewhere, absent any specific conflicting requirements.

Not sure it matters if it's full-disk vs just home directory, but full disk is easier to reason about and I don't recall an OS that can do homedir easily but not full-disk (there very well could be one, just none come to mind).

[pinusc]

It can range from trivial to impossible. Full disk encryption does not play well with hybernation on laptops, for example. There is also very limited support for hardware encrypted ssd... And even though it can potentially be a few arch commands away, you need to do a lot of reading to understand what you're doing and make informed choices about your setup. Which is hard.

[baobabKoodaa]

You're right.