This works on Mint 17.2 as well. It's hard to believe this still hasn't been fixed.

Partitioning

Boot to install disk, and open terminal. Assuming you want to use GPT, without UEFI, partition your disk with gdisk.

gdisk /dev/sda

In gdisk:

• Create a new GUID partition table
• Create a 1M bios boot partition (partition type ef02). Start=0, End=+1M.
• Create a grub partition (partition type 8300). At lease 256 MB.
• Create a LUKS crypt partition (partition type 8E00). Keep the suggested Start/End to use the rest of the disk.
• Press 'w' to write to disk.

Now create the LUKS container on the partition you just created, and call it "lvm" (or whatever you want):

cryptsetup luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 lvm

Create the physical volume for LVM in the LUKS container, and then the volume group:

pvcreate /dev/mapper/lvm
vgcreate lvmgrp /dev/mapper/lvm

Create your logical volumes (your sizes may vary):

lvcreate -L 4G lvmgrp -n swapvol
lvcreate -L 20G lvmgrp -n rootvol
lvcreate -l +100%FREE lvmgrp -n homevol

Install Ubuntu/Mint

Now start the installer, leaving the terminal open. At the partitioning step, select "Something Else". Set the mount points for the following, checking the "format" box where applicable:

• mount /dev/sda2 on /boot
• mount homevol on /home
• mount rootvol on /
• Set swapvol to be a swap space.

Now continue installation, but at the end of the installation click "Continue trying."

Before Rebooting

Back in your terminal, mount your new system in a chroot:

mount /dev/mapper/lvmgrp-rootvol /mnt
mount /dev/sda2 /mnt/boot
cd /mnt
mount /dev --bind dev
chroot .
mount proc
mount sysfs
mount devpts
mount tmpfs

Run blkid to get the UUID of the LUKS container (/dev/sda3).

Edit or create /etc/crypttab, with the following line:

lvm UUID=8f379863-d591-4101-9251-70ae8a34ad02 none luks

your UUID will be different, of course. This will cause the system to try to open the LUKS container at boot, with the name "lvm".

It's the initial RAM image that will actually do this, so we need to update it:

update-initramfs -u

This will read from the crypttab file and make the necessary changes to the initram image. Now you'll get a prompt to enter your passphrase at boot.

Unmount everything, just to be safe:

umount tmpfs
umount devpts
umount sysfs
umount proc
exit
umount dev
umount boot
cd
umount /mnt

Now reboot, and remove the install disk.

Explanation

So here's what happens at boot:

• BIOS gives control to GRUB, which loads the kernel and executes the initram image, located in your /boot partition.
• The initram is configured to unlock the LUKS container, so it will do this next.
• Now the root file system (in rootvol) is accessible, so the kernel can finish loading the system.

Here's a good reference.

You are being offered 2 layers of Encryption.

The first is LUKS. With LUKS your entire installation (except /boot) will be encrypted, including your home directory.

The second is ecrptfs and is used to encrypt your home directory.

In general there is no need to use the two together, but, you could if for example you have multiple users and you wish to keep data encrypted between users or from root access.

When you use LUKS, when you boot, the data in your /home will be decrypted and as long as the system is running, the data can be read by root and other users.

https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive_Home_Directory_Access

If you so desire , you can restrict access to the data in your home directory by adjusting the permissions or by encrypting your home directory as well.

If you encrypt your home directory, your personal data will remain encrypted when the system boots and will only be decrypted when you log in.

HTH