Hi,
first of all: really nice Distribution. This will the first Laptop for my parents >65 years old switching from windows
Everything works like a charme after some settings.
But I have one problem: During installation I set up full encryption and ZFS. No manual partition, just how the installer offered.
For me it was clear: I will add a second (and third) passphrase for my parents. So I installed my MY passphrase at the beginning.
Usually with LUKS encryption you can have as many keyslots as you like.
But Full Encryption + ZFS is for me new. In the /etc/crypttab I just found one entry for the swap.
SO first question: Is the system with ZFS really full encrypted? Or just the swap? That makes no sense, but I'm completely new to Zorin - so I don't know ?!
Second question: How can I add a second passphrase? Usually I would do this with cryptsetup luksAddKey /dev/sda1 where /dev/sda1 would be my system partition.
Agreed, it is brutally strong security, like government grade security. If the notebook is just being used by your loved one in a house, never taking the notebook anywhere, the full drive encryption is totally overkill, and just raises more problems then it solves.
Having said that, if your loved one is going to use the notebook in a bunch of businesses's, city bus stops, shopping malls, etc, then the full drive encryption makes more sense, to stop wireless data thieves, from copying all the data, or access it remotely.
So, I honestly can't remember if I turned on ZFS for my system at my last full install, but I have the same single line in crypttab, for nvme1n1p3_crypt. If I look at nvme1 in GNOME Disks, I see this:
I'll admit to more familiarity with Bitlocker (or even TrueCrypt) than LUKS, but I've always read that arrangement as the logical, usable device living under the encrypted device in the same partition.
(The unencrypted stuff in the first two partitions are /boot/efi and /boot, which I gather are not ordinarily encrypted with LUKS encryption, and that it's possible, but significantly more complicated for very little gain. I'm not an encryption expert, and may be mistaken.)
You are making things far more complicated to yourself than they needs to be.
Just re-install from scratch and use the default filesystem. ZFS is better suited for setups with large amount of drives that need to be kept in sync. Just use the default and keep things simple.
You can setup LUKS if you want, that's fine, but why have multiple passwords for the same drive that will be used by people who already have physical access to the same drive? Just use one password and keep things simple.
