Setting up Encryption
Back at the main partitioning screen, we need to tell the installer what these logical volumes we just created are going to be used for — namely, encrypted logical volumes.
Select the first volume and press enter.
The partitioner doesn’t know what to do with the volume until we tell it, so select the “use as” section and press enter.
Here we establish that the root filesystem will be encrypted. Choose “Physical partition for encryption” and press enter.
The partition settings screen now shows several encryption-specific options, but we don’t need to change anything because all the defaults are how we want them. Select “Done setting up the partition” and press enter.
Now we do the same thing for the second volume. Select it from the main partitioning window and press enter.
Again, by default the system doesn’t know what to do with it, so select the “use as” section so we can enlighten the installer.
This volume will also be encrypted, so select “Physical volume for encryption” and press enter.
The encryption options will be mostly correct, but instead of using a passphrase for this volume, we’re going to use a random key. This is because this area is going to be used for swap space. Swap space is not persistent across reboots, so it doesn’t need to be unlocked with the same key. It can be decrypted with a random key that is only valid for that boot. On the next boot, the system will generate a new key and write over the swap space.
The benefit for you is that you only have to enter one passphrase — the one for the root filesystem — instead of two.
To change this, select “Encryption key” and press enter.
Then select “Random Key” and press enter.
Select “Done setting up the partition and press enter.”
Back at the main partitioning screen, select “Configure encrypted volumes” and press enter.
The partitioner warns you that after encrypted volumes are configured, you can’t change them. If you are satisfied with your settings up to this point, select “yes” and press enter.
On the next screen, choose “Create encrypted volumes” and press enter.
Select the devices you want to use for encryption with the arrow keys, and mark them with the space bar. Press enter when your chosen devices are marked.
The partitioner now prompts you for your encryption passphrase. This is the passphrase for the root filesystem. It will be needed any time you boot or otherwise access this filesystem.
Enter your passphrase and press enter.
Confirm the passphrase and press enter again.
Back at the main partitioning screen again, it’s time to say what we want to use those encrypted volumes for.
Select the first encrypted volume and press enter.
The partitioner defaults to use the volume as an ext4 filesystem. We just need to tell it where to mount it.
Select “Mount point” and press enter.
Select “/ – the root filesystem” and press enter.
That’s all we need to do here. Select “Done setting up the partition” and press enter.
When you return to the main partitioning screen, you can see the second encrypted volume is already set to be used as swap, so you don’t need to even bother going into the partitioning editing section for this volume.
But if you do decide to go in to make sure, this is what you should see (and if this isn’t what you see, this is what you should set it to).
Tying up any Partitioning Loose Ends
Before we move on with the rest of the installation, we just need to configure the boot partition.
Select it from the main partitioning screen and press enter.
Select “use as” and press enter.
Choose the filesystem type you want to use for your boot partition. I’m sticking with ext4. Press enter after you make your selection.
Select “Mount point” and press enter.
Select “/boot — static files of the bootloader” and press enter.
Select “Done setting up the partition” and press enter.