So, i realized that every guide online fully encrypts their drive a bit differently.
https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption
https://archive.li/fuvky
Gentoo's guide has following partition layout:
/dev/sda
├── /dev/sda1 [EFI] /efi 1 GB fat32 Bootloader
└── /dev/sda2 [BOOTX] /boot 1 GB ext4 Bootloader support files, kernel and initramfs
/dev/nvme0n1
└── /dev/nvme0n1p1 [ROOT] (root) ->END luks Encrypted root device, mapped to the name 'root'
└── /dev/mapper/root / ->END btrfs root filesystem
/home subvolume Subvolume created for the home directory
/var subvolume Subvolume created for the var directory
/etc subvolume Subvolume created for the etc directory
Efi and boot directory on a seperate drive, unencrypted. No LVM.
Arch lists a bunch off ways, LVM on LUKS for example seems to be leaving /boot unencrypted with the kernel and initramfs.
+-----------------------------------------------------------------------+ +----------------+
| Logical volume 1 | Logical volume 2 | Logical volume 3 | | Boot partition |
| | | | | |
| [SWAP] | / | /home | | /boot |
| | | | | |
| /dev/MyVolGroup/swap | /dev/MyVolGroup/root | /dev/MyVolGroup/home | | |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on |
| | | other device) |
| LUKS encrypted partition | | |
| /dev/sda1 | | /dev/sdb1 |
+-----------------------------------------------------------------------+ +----------------+
or The encrypted boot partition example by the archwiki
+---------------------+----------------------+----------------------+----------------------+----------------------+
| BIOS boot partition | EFI system partition | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | | | | |
| | /efi | / | [SWAP] | /home |
| | | | | |
| | | /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home |
| /dev/sda1 | /dev/sda2 |----------------------+----------------------+----------------------+
| unencrypted | unencrypted | /dev/sda3 encrypted using LVM on LUKS |
+---------------------+----------------------+--------------------------------------------------------------------+
which seems to be the same as the one by https://archive.li/fuvky (cant insert the picture, in this example the efi partion is mounted at /boot/efi thus /boot is encrypted with the kernel and initramfs but the bootloader grub is unencrypted as i understand at least, because the partition is mounted at /boot/efi)
Now, the Artix guide confused me.
/dev/sdX - physical disk with MBR partition table
/dev/sdX1 - encrypted with LUKS (Linux Unified Key Setup) and partitioned into a LVM (Logical Volume Manager) container
|---> Logical volume 1 - /dev/mapper/lvm-volBoot - /boot encrypted partition of 1 GB size
|---> Logical volume 2 - /dev/mapper/lvm-volSwap - swap partition, the size of which is >= size of your RAM (i.e. 16 GB)
|---> Logical volume 3 - /dev/mapper/lvm-volRoot - / root partition, which gets 100% of remaining free space
MBR, the reason there is no /efi directory, but how the hell is it booting if /boot is encrypted with the grub included?
from my current point the best FDE for UEFI would be https://archive.li/fuvky gpg encrypting the keys as described here and password protecting grub?
Then again, luks2 wont be possible because of the problems when using Grub2 with it right?
also found this https://wiki.archlinux.org/title/GRUB#LUKS2 not sure if its a good idea to use it