First time using full disk encryption with LUKS. Sorry for a lot of novice questions.
Before using full disk encryption, I used to have separate partitions /boot
, /
, home
which allow to to reinstall the OS while preserving the data in the /home
partition.
I would like to keep the same principle of separate partitions with full disk encryption. The Kubuntu 22.04 installer doesn't allow manual partition definition when encryption is enabled. There is only one option "Erase everything and enable encryption" (sorry don't remember the exact wording). Other boot options selected: secure boot and UEFI. Here is the partition layout after Kubuntu 22.04 has been successfully installed.
lsblk -e7
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 1.7G 0 part /boot
└─nvme0n1p3 259:3 0 474.8G 0 part
└─nvme0n1p3_crypt 253:0 0 474.8G 0 crypt
├─vgkubuntu-root 253:1 0 473.8G 0 lvm /
└─vgkubuntu-swap_1 253:2 0 980M 0 lvm [SWAP]
No idea what the sda
disk is, the machine has a single NVMe disk. Now there is only one root partition /
in the encrypted partition nvme0n1p3
. Let's assume I would like to reinstall the OS from scratch, with disk encryption, same passphrase. The /home
directory would be lost.
Q1. Is it possible to add a separate volume and assign /home
partition? In such a way that an OS reinstall would preserve the existing encrypted data? I am OK to use terminal, reformat existing disk to restart clean from scratch. The important point here is LUKS allows to preserve existing /home
volume for future OS install.
Q2. Let's assume Q1 is doable and now there are separate /
and /home
partitions within the encrypted disk. I would like to install an OS, this could be anything, newer Kubuntu, Arch, EndeavourOS, etc. Would the native installer of the OS allow to select Full disk encryption, re-use same passphrase, re-use the existing partition layout, reformat /boot
and /
. But preserve the existing encrypted /home
?
Q3. Is it normal that LUKS asks for the encryption passphrase at every reboot? I saw a Windows 10 user enabling Bitlocker. Somehow, Windows manages to encrypt the disk without asking for an additional password. The user continues to use Windows the same way as before Bitlocker, ie. boot straight to the login Windows. At a high level, what is the fundamental difference between LUKS and Bitlocker so that LUKS needs a separate password?