So, i realized that every guide online fully encrypts their drive a bit differently.https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption
https://archive.li/fuvky
Gentoo's guide has following partition layout:
/dev/sda
├── /dev/sda1 [EFI] /efi 1 GB fat32 Bootloader
└── /dev/sda2 [BOOTX] /boot 1 GB ext4 Bootloader support files, kernel and initramfs
/dev/nvme0n1
└── /dev/nvme0n1p1 [ROOT] (root) ->END luks Encrypted root device, mapped to the name 'root'
└── /dev/mapper/root / ->END btrfs root filesystem
/home subvolume Subvolume created for the home directory
/var subvolume Subvolume created for the var directory
/etc subvolume Subvolume created for the etc directory
Efi and boot directory on a seperate drive, unencrypted. No LVM.
Arch lists a bunch off ways, LVM on LUKS (https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS) for example seems to be leaving /boot unencrypted with the kernel and initramfs.
+-----------------------------------------------------------------------+ +----------------+
| Logical volume 1 | Logical volume 2 | Logical volume 3 | | Boot partition |
| | | | | |
| [SWAP] | / | /home | | /boot |
| | | | | |
| /dev/MyVolGroup/swap | /dev/MyVolGroup/root | /dev/MyVolGroup/home | | |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on |
| | | other device) |
| LUKS encrypted partition | | |
| /dev/sda1 | | /dev/sdb1 |
+-----------------------------------------------------------------------+ +----------------+
or The encrypted boot partition example by the archwiki (https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB))
+---------------------+----------------------+----------------------+----------------------+----------------------+
| BIOS boot partition | EFI system partition | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | | | | |
| | /efi | / | [SWAP] | /home |
| | | | | |
| | | /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home |
| /dev/sda1 | /dev/sda2 |----------------------+----------------------+----------------------+
| unencrypted | unencrypted | /dev/sda3 encrypted using LVM on LUKS |
+---------------------+----------------------+--------------------------------------------------------------------+
which seems to be the same as the one by https://archive.li/fuvky (cant insert the picture, in this example the efi partion is mounted at /boot/efi thus /boot is encrypted with the kernel and initramfs but the bootloader grub is unencrypted as i understand at least, because the partition is mounted at /boot/efi)
Now, the Artix (https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption) guide confused me.
/dev/sdX - physical disk with MBR partition table
/dev/sdX1 - encrypted with LUKS (Linux Unified Key Setup) and partitioned into a LVM (Logical Volume Manager) container
|---> Logical volume 1 - /dev/mapper/lvm-volBoot - /boot encrypted partition of 1 GB size
|---> Logical volume 2 - /dev/mapper/lvm-volSwap - swap partition, the size of which is >= size of your RAM (i.e. 16 GB)
|---> Logical volume 3 - /dev/mapper/lvm-volRoot - / root partition, which gets 100% of remaining free space
MBR, the reason there is no /efi directory, but how the hell is it booting if /boot is encrypted with the grub included?
from my current point the best FDE for UEFI would be https://archive.li/fuvky gpg encrypting the keys as described here (https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch#Basic_key_file_creation) and password protecting grub?
Then again, luks2 wont be possible because of the problems when using Grub2 with it right?
also found this https://wiki.archlinux.org/title/GRUB#LUKS2 not sure if its a good idea to use it