System already set up. Linux mint 21 (if it is important, i can upgrade to 22). No disk or home encryption set up. And i don’t want to reinstall system, too many programs and too many custom settings.
What @snowy is looking to do, is prevent his roommates, who will also have physical access to his computer, from trying to change the root password by booting into a recovery option and changing the password.
One option I see is to prevent this, is to disable the root login. Therefore they still won’t be able to access your computer.
You can also add a boot and BIOS lock to your system.
I do this on my ThinkPad. For example, when it boots, there’s a password required to go beyond the BIOS, also the BIOS password is enabled so that the BIOS settings and boot options/order are locked.
The BIOS loads before the boot order, but I also remove USB from boot order.
I’ve never in my life yet had my laptop lost or stolen. (well I did forget my laptop at a rental car office 2 years ago, but with an Apple AirTag in my backpack I was able to head back and find it (forgot it in a vehicle we first selected)
On the laptop, the most critical data stored is the Google Drive sync (passwords, credentials, and sensitive work info) that is stored encrypted. So even removing the drive and trying to access data would be difficult.
I think these measures should be default for laptops. My desktop workstation, I don’t use a boot or BIOS password. But I probably should now after this topic.