https://vitobotta.com/2018/01/11/ubuntu-full-disk-encryption-manual-partitioning-uefi/
Modified to use a seperate encrypted partition for /home
Run gparted, and do the following:
delete all the existing partitions on the target disk
create a new partition table of type parimary
create a fat32 partition of 256MB with name “EFI System Partition” and label “ESP”, then click “Apply” to actually create the partition
right-click on the partition you’ve just created, click “Manage flags” and check “esp”, then click “Apply again”
quit gparted
The partition you just created will be identified as /dev/sda1.
Now run the Ubuntu installer, and at the “Installation type” screen select “Something else” to continue with the custom partitioning:
create an ext2 partition of 512MB that will be used as /boot (the partition will be identified as /dev/sda2)
create a partition for the size of disk space as wanted “physical volume for encryption”, then enter the passphrase you want to use to unlock the encrypted partition (the partition will be identified as /dev/sda3) and will be used for root
Open up 'disks'
Create a new partition for your home directory to the size wanted Encrypt the partition and enter your password from before Note the name /dev/mapper/luks-UUID You'll need the luks-UUID later
Quit the installer, and open the terminal (ctrl-alt-t). The proceed with setting up the LVM volumes:
sudo -s dmsetup ls
dmsetup rename luks-UUID sda4_crypt
vgcreate system /dev/disk/by-id/dm-name-sda3_crypt lvcreate -L 2G -n swap system lvcreate -L 100%FREE -n root system
Notes:
you don’t have to create a swap partition, nor does it have to be 2GB. You can skip this if you have plenty of RAM or will be using a swapfile instead
Reopen the installer leaving the terminal also open, and again choose “Something else” at the “Installation type” screen. Then:
select the EFI/ESP partition (/dev/sda1), right-click then click “Change”, and ensure “Use as” is set to “EFI System Partition”
select the boot partition (/dev/sda2), right-click then click “Change”, and ensure “Use as” is set to “ext2 file system” and the mount point to “/boot”. Then check “Format the partition” and confirm
select the swap volume (/dev/mapper/system-swap) if you have created it, right-click then click “Change”, and ensure “Use as” is set to “swap area”
select the root volume (/dev/mapper/system-root), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/”; check “Format the partition” and confirm
select the home volume (/dev/mapper/sda4_crypt), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/home”; check “Format the partition” and confirm
select /dev/sda as “Device for boot loader installation”
proceed with the installation but do not reboot when asked and leave the installer open
Back to the terminal, run
blkid /dev/sda3 blkid /dev/sda4
and take note of the UUID of the encrypted partitions. Then run
echo 'sda3_crypt UUID=(the sda3 uuid without quotes) none luks,discard' > /target/etc/crypttab echo 'sda4_crypt UUID=(the sda4 uuid without quotes) none luks,discard' >> /target/etc/crypttab
Next, run the following to chroot into the new installation:
mount -t proc proc /target/proc mount --rbind /sys /target/sys mount --rbind /dev /target/dev chroot /target
Install the bootloader:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/sda grub-mkconfig --output=/boot/efi/EFI/ubuntu/grub/grub.cfg update-initramfs -ck all exit reboot
The system should now boot into the new installation, requiring you to enter the passphrase to unlock the disk first.