Encryption using LUKS is the preferred method for protecting Linux systems from unauthorised access from the moment of installation. Full encryption is particularly essential for mobile devices. Another recommendation is to always store root and home directories on different partitions of the hard drive, which in turn greatly simplifies the protection of personal data during subsequent system changes or migrations.
However, the conventional installation routine for Ubuntu or Debian derivatives does not allow multiple partitions to be added in conjunction with LUKS encryption. The partition can, however, be added later, and these instructions show you how.
This assumes that the operating system has already been installed and encrypted with LUKS. The installation uses the entire hard drive and does not have any additional partitions.
Important: it is always advisable to back up your private data in your home directory before performing system interventions such as this!
For the first step, we need a Linux live USB. This can be the same one that was used for the installation. Since we are using the KDE Partition Manager, systems that use KDE as their desktop environment from the outset are naturally advantageous. These would be Kubuntu or MX Linux KDE, for example. However, the programme can also be installed in other live USBs via the package manager.
The hard drive must be partitioned from a live system. So we start the live USB environment and install the KDE Partition Manager.
sudo apt install partitionmanagerNext, we start the KDE Partition Manager from the Start menu. Within the partition manager, we find our encrypted partition. Right-clicking on it, we select ‘Decrypt’ from the context menu and enter the password to open the partition. Press F5 once to refresh the directory, then we can expand it and find our root partition inside.
Now we can reduce the size of the root partition and select a new size. A size between 50-80GB is recommended. In the space that has now been freed up, we can create our home partition called vgkubuntu-home (or whatever you like), as well as a swap partition if one does not already exist. The larger part of our hard drive will certainly be filled with our personal data, so we can safely fill the rest of the hard drive with our home partition. We can safely keep the default ‘ext4’ file system.
Next, we need to mount both partitions, our root and home. Let’s assume our root partition is vgkubuntu-root and our newly created home partition is vgkubuntu-home, then we mount both into the file system.
sudo mkdir /mnt/root
sudo mkdir /mnt/home
sudo mount /dev/mapper/vgkubuntu-root /mnt/root
sudo mount /dev/mapper/vgkubuntu-home /mnt/homeOnce both partitions are mounted, our goal must be to copy the contents of our previous home directory to our home partition. Only the contents, mind you, not the directory itself. There must be no ‘home’ subdirectory on our home partition. To do this, we can simply use the file manager running in the live system.
Finally, the new home partitions must be entered in the fstab of our system. We can read the exact names of our partitions as unique IDs with the following commands after our encrypted partitions have been mounted using Partition Manager:
lsblkThis displays all existing partitions on the system, including the recognised LUKS partition. We recognise the logical drive vgkubuntu-home that we created earlier.
sudo blkid /dev/mapper/vgkubuntu-homeThis will display the unique ID of the partition under ‘LABEL’ in a format similar to this: ‘UUID=f4824c-7bhi-27b5-dk65fde66f564’. We copy this ID and use it to edit the fstab configuration directly.
sudo nano /etc/fstabIn fstab, we first ensure that there is not already an entry for /home and then add the following line.
UUID=f4824c-7bhi-27b5-dk65fde66f564 /home ext4 noatime 1 2After restarting, your system will be set up as desired and your private data will be neatly separated from the system partition.