This works on Mint 17.2 as well. It's hard to believe this still hasn't been fixed.
Partitioning
Boot to install disk, and open terminal. Assuming you want to use GPT, without UEFI, partition your disk with gdisk.
gdisk /dev/sda
In gdisk:
- Create a new GUID partition table
- Create a 1M bios boot partition (partition type ef02). Start=0, End=+1M.
- Create a grub partition (partition type 8300). At lease 256 MB.
- Create a LUKS crypt partition (partition type 8E00). Keep the suggested Start/End to use the rest of the disk.
- Press 'w' to write to disk.
Now create the LUKS container on the partition you just created, and call it "lvm" (or whatever you want):
cryptsetup luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 lvm
Create the physical volume for LVM in the LUKS container, and then the volume group:
pvcreate /dev/mapper/lvm
vgcreate lvmgrp /dev/mapper/lvm
Create your logical volumes (your sizes may vary):
lvcreate -L 4G lvmgrp -n swapvol
lvcreate -L 20G lvmgrp -n rootvol
lvcreate -l +100%FREE lvmgrp -n homevol
Install Ubuntu/Mint
Now start the installer, leaving the terminal open. At the partitioning step, select "Something Else". Set the mount points for the following, checking the "format" box where applicable:
- mount /dev/sda2 on /boot
- mount homevol on /home
- mount rootvol on /
- Set swapvol to be a swap space.
Now continue installation, but at the end of the installation click "Continue trying."
Before Rebooting
Back in your terminal, mount your new system in a chroot:
mount /dev/mapper/lvmgrp-rootvol /mnt
mount /dev/sda2 /mnt/boot
cd /mnt
mount /dev --bind dev
chroot .
mount proc
mount sysfs
mount devpts
mount tmpfs
Run blkid
to get the UUID of the LUKS container (/dev/sda3).
Edit or create /etc/crypttab, with the following line:
lvm UUID=8f379863-d591-4101-9251-70ae8a34ad02 none luks
your UUID will be different, of course. This will cause the system to try to open the LUKS container at boot, with the name "lvm".
It's the initial RAM image that will actually do this, so we need to update it:
update-initramfs -u
This will read from the crypttab file and make the necessary changes to the initram image. Now you'll get a prompt to enter your passphrase at boot.
Unmount everything, just to be safe:
umount tmpfs
umount devpts
umount sysfs
umount proc
exit
umount dev
umount boot
cd
umount /mnt
Now reboot, and remove the install disk.
Explanation
So here's what happens at boot:
- BIOS gives control to GRUB, which loads the kernel and executes the initram image, located in your /boot partition.
- The initram is configured to unlock the LUKS container, so it will do this next.
- Now the root file system (in rootvol) is accessible, so the kernel can finish loading the system.
Here's a good reference.
You are being offered 2 layers of Encryption.
The first is LUKS. With LUKS your entire installation (except /boot) will be encrypted, including your home directory.
The second is ecrptfs and is used to encrypt your home directory.
In general there is no need to use the two together, but, you could if for example you have multiple users and you wish to keep data encrypted between users or from root access.
When you use LUKS, when you boot, the data in your /home will be decrypted and as long as the system is running, the data can be read by root and other users.
https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive_Home_Directory_Access
If you so desire , you can restrict access to the data in your home directory by adjusting the permissions or by encrypting your home directory as well.
If you encrypt your home directory, your personal data will remain encrypted when the system boots and will only be decrypted when you log in.
HTH
Best Answer
Canonical implemented this feature (full disk encryption) in Ubuntu installer edition from 12.10 because Alternate CDs are dropped. From QQ Alternate CD are no longer available.
"Encrypting full disk" stands for creating encrypted volumes (luks) and it uses full disk, not only /home folder. Encrypting full disk is more secure and with that option you can uncheck "Encrypt my home folder". There is no need to use two kinds of encryption. If you want just to encrypting your home folder (without encrypted / and swap partition) use only the second option.