Ubuntu – Full disk encryption – separate home partition

diskencryption

How to create separate /home partition when using full disk encryption feature in the Ubuntu 12.10 installer?

Best Answer

This works on Mint 17.2 as well. It's hard to believe this still hasn't been fixed.

Partitioning

Boot to install disk, and open terminal. Assuming you want to use GPT, without UEFI, partition your disk with gdisk.

gdisk /dev/sda

In gdisk:

Create a new GUID partition table
Create a 1M bios boot partition (partition type ef02). Start=0, End=+1M.
Create a grub partition (partition type 8300). At lease 256 MB.
Create a LUKS crypt partition (partition type 8E00). Keep the suggested Start/End to use the rest of the disk.
Press 'w' to write to disk.

Now create the LUKS container on the partition you just created, and call it "lvm" (or whatever you want):

cryptsetup luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 lvm

Create the physical volume for LVM in the LUKS container, and then the volume group:

pvcreate /dev/mapper/lvm
vgcreate lvmgrp /dev/mapper/lvm

Create your logical volumes (your sizes may vary):

lvcreate -L 4G lvmgrp -n swapvol
lvcreate -L 20G lvmgrp -n rootvol
lvcreate -l +100%FREE lvmgrp -n homevol

Install Ubuntu/Mint

Now start the installer, leaving the terminal open. At the partitioning step, select "Something Else". Set the mount points for the following, checking the "format" box where applicable:

mount /dev/sda2 on /boot
mount homevol on /home
mount rootvol on /
Set swapvol to be a swap space.

Now continue installation, but at the end of the installation click "Continue trying."

Before Rebooting

Back in your terminal, mount your new system in a chroot:

mount /dev/mapper/lvmgrp-rootvol /mnt
mount /dev/sda2 /mnt/boot
cd /mnt
mount /dev --bind dev
chroot .
mount proc
mount sysfs
mount devpts
mount tmpfs

Run blkid to get the UUID of the LUKS container (/dev/sda3).

Edit or create /etc/crypttab, with the following line:

lvm UUID=8f379863-d591-4101-9251-70ae8a34ad02 none luks

your UUID will be different, of course. This will cause the system to try to open the LUKS container at boot, with the name "lvm".

It's the initial RAM image that will actually do this, so we need to update it:

update-initramfs -u

This will read from the crypttab file and make the necessary changes to the initram image. Now you'll get a prompt to enter your passphrase at boot.

Unmount everything, just to be safe:

umount tmpfs
umount devpts
umount sysfs
umount proc
exit
umount dev
umount boot
cd
umount /mnt

Now reboot, and remove the install disk.

Explanation

So here's what happens at boot:

BIOS gives control to GRUB, which loads the kernel and executes the initram image, located in your /boot partition.
The initram is configured to unlock the LUKS container, so it will do this next.
Now the root file system (in rootvol) is accessible, so the kernel can finish loading the system.

Here's a good reference.

Related Solutions

Ubuntu – Resizing boot partition with full disk encryption

I know this question is old, but comes up when searching for the small boot partition problem and using disk encryption.

Ubuntu installer ubiquity uses partman for partitioning. When "Use the entire disk" option is selected, the partition configurations come from partman recipe files in /lib/partman/recipes-[arch]/* and /lib/partman/recipes/* on the live CD. Find the recipe used by the installer, and modify the maximum size for /boot partition. On my system, the default recipe used is /lib/partman/recipes/30atomic. Open the Terminal:

ubuntu@ubuntu:~$ sudo nano /lib/partman/recipes/30atomic

Go to the section for the boot partition and change the third number (256 below) to the size you want (I'd recommend at least 512):

128 512 256 ext2
    $defaultignore{ }
    method{ format }
    format{ }
    use_filesystem{ }
    filesystem{ ext2 }
    mountpoint{ /boot }

This section says size is going to be between 128M and 256M with a priority of 512, which determines how important the size of this partition with respect to others.

Save it with Ctrl+O, Enter. Then start the installer, install as usual.

Ubuntu – New encryption feature in Ubuntu 12.10: home encryption or full disk encryption? or both

Canonical implemented this feature (full disk encryption) in Ubuntu installer edition from 12.10 because Alternate CDs are dropped. From QQ Alternate CD are no longer available.

"Encrypting full disk" stands for creating encrypted volumes (luks) and it uses full disk, not only /home folder. Encrypting full disk is more secure and with that option you can uncheck "Encrypt my home folder". There is no need to use two kinds of encryption. If you want just to encrypting your home folder (without encrypted / and swap partition) use only the second option.