Am 05.12.19 um 01:13 schrieb John M. Harris Jr:

Full-Diskencryption ( /boot included ) is the only way to protect the
system itself.
Anything else is simply not secure.

systemd-homed doesn't depend on /etc/passwd or /etc/shadow for
authentication. By all means its security guarantees should be
evaluated.
https://github.com/systemd/systemd/pull/14096

It does not need to, if your system is open to any physical abuser, he simply can exchange the tool to unlock the drive,
get the password, send it to the attacker and unlock the drive. Nothing has changed for the user, but it got compromised.

And encrypting only parts of your system makes it extrem easy to tamper it.

and btw.. nothing stops an attacker from waiting for you to unlock the drive for him, and exfiltrate your data when it's active.

System security needs four major anchors to rely on:

a full disc encryption
a good, not backdoored encryption system
secure programs
and secure passcodes

if you only partly encrypt your disk, your data is only be protected against a random theft and you have to enter your password
anyway to unlock it, so you also can encrypt the entire system. There will be no extra work for you to do ;)

If you have to worry about someone instantly cooling your RAM down to protect in-memory crypto keys after seizing your laptop, it's time to rethink your lifestyle ;)

Best regards,
Marius