1

First time using full disk encryption with LUKS. Sorry for a lot of novice questions.

Before using full disk encryption, I used to have separate partitions /boot, /, home which allow to to reinstall the OS while preserving the data in the /home partition.

I would like to keep the same principle of separate partitions with full disk encryption. The Kubuntu 22.04 installer doesn't allow manual partition definition when encryption is enabled. There is only one option "Erase everything and enable encryption" (sorry don't remember the exact wording). Other boot options selected: secure boot and UEFI. Here is the partition layout after Kubuntu 22.04 has been successfully installed.

lsblk -e7

NAME                   MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                      8:0    1     0B  0 disk
nvme0n1                259:0    0 476.9G  0 disk
├─nvme0n1p1            259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2            259:2    0   1.7G  0 part  /boot
└─nvme0n1p3            259:3    0 474.8G  0 part
  └─nvme0n1p3_crypt    253:0    0 474.8G  0 crypt
    ├─vgkubuntu-root   253:1    0 473.8G  0 lvm   /
    └─vgkubuntu-swap_1 253:2    0   980M  0 lvm   [SWAP]

No idea what the sda disk is, the machine has a single NVMe disk. Now there is only one root partition / in the encrypted partition nvme0n1p3. Let's assume I would like to reinstall the OS from scratch, with disk encryption, same passphrase. The /home directory would be lost.

Q1. Is it possible to add a separate volume and assign /home partition? In such a way that an OS reinstall would preserve the existing encrypted data? I am OK to use terminal, reformat existing disk to restart clean from scratch. The important point here is LUKS allows to preserve existing /home volume for future OS install.

Q2. Let's assume Q1 is doable and now there are separate / and /home partitions within the encrypted disk. I would like to install an OS, this could be anything, newer Kubuntu, Arch, EndeavourOS, etc. Would the native installer of the OS allow to select Full disk encryption, re-use same passphrase, re-use the existing partition layout, reformat /boot and /. But preserve the existing encrypted /home?

Q3. Is it normal that LUKS asks for the encryption passphrase at every reboot? I saw a Windows 10 user enabling Bitlocker. Somehow, Windows manages to encrypt the disk without asking for an additional password. The user continues to use Windows the same way as before Bitlocker, ie. boot straight to the login Windows. At a high level, what is the fundamental difference between LUKS and Bitlocker so that LUKS needs a separate password?

Improve this question

1 Answer 1

Reset to default
1

I can't fully answer everything, but here is a partial answer (way to much to go into comments)

Q1. It is possible to have /home as a separate LUKS partition, but its going to be fiddly to get working - at least under Ubuntu - I don't think you can get there using just the installer.

You could actually do this with your current setup as you are using LVM under LUKS. The answer would be to

  • Shrink your vgkubuntu-root partition (shrink the filesystem down as much as you can - which would need to be done from a boot disk,
  • Then shrink the vgkubuntu-root partition in LVM
  • Then expand the filesystem to the new size of that partition
  • Then create a new partition in LVM for home
  • Then mount it. Because the LVM is on encrypted disk /home will be encrypted.

Q2. Probably not, but it depends on how intelligent the installer is. It is certainly technically possible, and no doubt some distros will do it.

Q3. Yes, it is normal for LUKS to ask the encryption password at every reboot. I don't know why (at least Ubuntu and Debian) don't do facilitate this, and it is a major PITA to try and retrofit it - but it is doable (I have done it, its horrible). AFAIK there is no fundamental reason LUKS needs a password, it is quite possible to munge the PCR registers (ie TPM) to produce a key you can use to unlock the partition. I comment that this is all analogous to how Bitlocker works - AFAIK Bitlocker and LUKS are not compatible. (Its likely of very limited use, but I wrote a blog when I did this on a previous laptop - https://davidgo.gottschen.com/2017/06/20/dell-venue-11-pro-7139-as-a-linux-tablet-with-full-disk-encryption/ - and this has links to other useful resources )

Improve this answer
4
  • Thanks @davidgo looks like I would need to practice a lot on a VM to get this straight. As for Q3. I am not sure if you derive the encryption key from the TPM module would be useful in the scenario where the whole laptop get stolen. WIth Bitloker the theft just needs to steal the user Window login creds. With LUKS, his job would be a bit harder as he would need to steal TWO keys (LUKS and the login creds). Maybe it is LUKS intentional design to require a separate personalize passphrase outside of any hardware factor within the machine itself?
    – Polymerase
    Commented Jun 13, 2022 at 16:55
  • @Polymerase Not sure what you are saying. With bitlocker correctly set up you do meed the whole machine + login details (or backup passphrase). Similarly with LUKS. In both cases there are multiple keys that can unlock the hrader which im turn unlocks the drive - one of which is derived from the tpm.
    – davidgo
    Commented Jun 13, 2022 at 19:28
  • If I steal the Windows laptop with Bitlocker on, all I need is the user login to enter Windows. The user who showed me Bitlocker, after enabling it, reboot and she logged into Windows as before. Bitlocker doesn't ask for any extra pwd. Confirmed by this article windowscentral.com/how-use-bitlocker-encryption-windows-10 . If my laptop is stolen, the theft would need my LUKS pwd and Linux pwd to enter the OS.
    – Polymerase
    Commented Jun 14, 2022 at 3:45
  • @Polymerase - sort-of agree - if you set up LUKS such that it requires a Linux password. You can set up LUKS so that it unlocks the drive based on a derived key (eg from TPM), or a file. Conversely you can set up Bitlocker so it uses a Pre Boot password. howtogeek.com/262720/… - I put to you the technologies are very analogous, although the default way they are configured out-the-box are different.
    – davidgo
    Commented Jun 14, 2022 at 4:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .