What are the benefits of full disk encryption compared to a solution where the a /boot partition with the kernel remains unencrypted?
As far as I understand, the benefit of having a full disk encryption is to prevent a malicious actor to inject bad code on the kernel (for example that code could reveal the encryption password making the encryption useless).
Otherwise, having a full disk encryption complicates the set-up as the boot loader should know how to open an encrypted partition and the initramfs should contain the key to work on the root partition.
In a full disk encryption environment there is also the need for a method that prevent arbitrary modifications on the boot loader, if not the additional security over unencrypted kernel is lost.
Some argues that similar benefits of FDE are in any case obtainable with a bootloader that check the hash of a kernel before let the control to it.
Do you think that -from a home set-up prospective (not in a high security scenario)- there are some points about FDE that I missed?
What is the most balanced configuration for a typical home laptop that balance simplicity and security (for the typical risk having your machine lost/stolen)?