My laptop isn't under my supervision most of the time. And I'd hate it if someone were to steal my SSD, or whole laptop even, when I'm not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It's a very slow laptop. So decryption on login isn't viable, takes too long. While booting up also takes forever, so it needs to be in a "safe" state when simply logged out. Maybe a way that's decrypt-on-demand?
The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you "decrypt on login". Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.
Unless your laptop somehow has multiple drives you'll want to use the "LVM on LUKS" configuration. 1 small partition for /boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.
This will require wiping your system and reinstalling so you have some reading to do.
The arch-install script in the live iso has options for full disk encryption.
If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.
You need a swapfile for hibernation so make sure its inside the LUKS container.
Looks like they use eCryptFS. Never heard of it before so thats neat. I can see using it on systems where you can't reinstall the system with Dm-crypt but it most cases I suspect Dm-crypt is a better alternative.
To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.
The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.
Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.
openSUSE also has a simple FDE setup. Just check a box and enter a passphrase during install. It's not default, but it's about as easy as possible to set up.
For the record, I once had a bad experience with the Debian installer's version. That is why I will not be trying Debian again. Installation is a moment of vulnerability, when you don't have ready access to your data, or the network, and this is one extra factor. IMO it really is non-negotiable for a distro to provide a bulletproof installation experience.
I'm pretty sure all the major distros have FDE as an option in the installer its just never on by default. Fedora does the same but with BTRFS on LUKS. I'm sure Debian does. Someone else says OpenSuse does. Maybe some derivative distros don't but I suspect the ones with an graphical installer do.
Except PopOS, as I understand it. IMO that is a major point in its favor and against its competitors, given the dominance of laptops today. I see no reason why this is still opt-in, rather than opt-out as on mobile OSs.
I think PopOS can safely assume that its being installed on a laptop with only one drive. If there's multiple drives involved then the setup gets far more complicated as you then must go to something like an LUKS on LVM setup. Basically, for a desktop there's no safe defaults for FDE.
Sure, but in that case the default encryption could easily be switched off for multiple-drive setups. Basically, the default setting is what's important.
Keep in mind an unencrypted /boot partition still leaves you open to an evil maid attack. I'm not really paranoid (or interesting) enough that I feel the need to take measures to prevent those kinds of attacks, but your situation may differ.
Dreams of Code on YouTube has a video for a full start to finish arch install specifically including full disk encryption. While my computer is far from “slow” it’s also nothing crazy, and other than adding a second password to my bootup process, the decrypting really doesn’t take long.