I ordered my Librem 14 and am familiarizing myself with the documentation before I get it. I spoke to support at Purism and they advised me that in order to install Qubes properly I must do the following during Qubes initial setup.
During Qubes OS installation make sure to leave /boot partition unencrypted.
This is how PureBoot works, it verifies if boot files are intact/unchanged. If the boot partition would be also encrypted, then PureBoot would not be needed. Problem is that there is no easy way to setup complete disk encryption (including boot partition), we could not have pre-install system in that case.
I am confused and I thought I would talk to the Qubes community about this. Does this mean my disk contents on Qubes (files, notes, etc.) would be unencrypted or does this only apply to the boot files?
On /boot will be stored only the files that are needed for the system to boot.
So … only these files shound not be encrypted. Anything else, can be encrypted [that means your files, notes, etc]
So let’s say I am installing Qubes on the Librem 14 and going through the personalization menus (time zone, language, installation destination, etc.) and I reach the disk encryption section where I enter the password for LUKS disk encryption, should I proceed with disk encryption? Encrypting the disk with FDE and LUKS will not affect the boot files? Am I thinking correctly here?
I am referencing the part of the installation documentation mentioned below…
Did you know? Qubes OS uses full-disk AES encryption (FDE) via LUKS by default.
As soon as you press Done , the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When you’re finished, press Done .
No it will not affect /boot partition. You can go with LUKS encryption without any fear.
After installation, you’ll need to enter the LUKS password to decrypt anything but if you want to play and check that … you can boot via USB and check the disk to see that it is actually encrypted [without /boot partition, of course]