Install Linux Mint with UEFI Secure Boot on two encrypted disks (root and home)

0-Install Linux Mint with UEFI Secure Boot on two encrypted disks.md

How to install linux mint with UEFI Secure Boot with seperate root and home disk.

Note: boot partition will not be encrypted

Source:
https://askubuntu.com/questions/853497/grub-install-error-cannot-find-efi-directory
https://askubuntu.com/questions/126541/how-to-manually-install-boot-loader
https://nowhere.dk/articles/installing-linux-mint-ubuntu-desktop-edition-with-full-disk-encryption-and-lvm/comment-page-1

1-Partition disks.md

1. Boot from Live Disk
2. Start Gparted
3. Delete all Partitions
4. Main disk for boot and root
   1. Create primary partition (FAT32) with 500MB (e.g. sda1) (for EFI filesystem)
   2. Create primary partition (ext4) with 1GB (e.g. sda2) (boot partition)
   3. Create extended partition (e.g. sda3)
   4. Create logical partition in extended partition (e.g. sda4) (root partition)
   5. Apply changes
   6. Set boot and esp flag for first partition sda1
5. Second disk for home
   1. Create primary partition (ext4) (e.g. sdb1) (home partition)
   2. Apply changes

2-Install Grub bootloader.md

1. Get root rights

sudo su -

2. Get signed grub image

sudo apt install grub-efi-amd64-signed

3. Mount boot and efi

mount /dev/sda2 /mnt
mkdir /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

4. Install grub

grub-install --uefi-secure-boot --recheck --no-floppy --root-directory=/ --boot-directory=/mnt/boot --efi-directory=/mnt/boot/efi /dev/sda

5. Reboot

3-Encrypt Volumes.md

1. Boot from Live disk
2. Create encrypted partitions and open them
   Choose the same password for both partitions if you only want to type one during booting

cryptsetup luksFormat /dev/sda4
cryptsetup luksFormat /dev/sdb1
cryptsetup open --type luks /dev/sda4 sda4_crypt
cryptsetup open --type luks /dev/sdb1 sdb1_crypt

3. Create volume groups and logical volumes

vgcreate systemvg /dev/mapper/sda4_crypt
vgcreate datavg /dev/mapper/sdb1_crypt
lvcreate -n swaplv -L8G systemvg
lvcreate -n rootlv -l100%FREE systemvg
lvcreate -n homelv -l100%FREE datavg

DO NOT REBOOT!!!!

4-Install Mint.md

1. Start Mint installation
2. Choose "Something else" for Installation type
3. Set "/dev/mapper/datavg-homelv"
   Filesystem: ext4
   Mount point: /home
   Format: on
4. Set "/dev/mapper/systemvg-rootlv"
   Filesystem: ext4
   Mount point: /
   Format: on
5. Set "/dev/mapper/systemvg-swaplv"
   Filesystem: swap
6. Set "dev/sda2"
   Filesystem: ext4
   Mount point: /boot
   Format: off
7. Select device for bootloader installation:
   /dev/sda (without a number, because the device is needed and not a partition)
8. Install now
   Ignore warning because of missing format flag for the boot partition
9. After installation "Continue testing"
   DO NOT RESTART!!!

5-Update initramfs image.md

1. Root rights

sudo su -

2. chroot new installation

mount /dev/systemvg/rootlv /target
mount /dev/sda2 /target/boot
mount -o bind /proc /target/proc
mount -o bind /dev /target/dev
mount -o bind /sys /target/sys
chroot /target

3. Let installation know you are using encrypted partitions

echo "sda4_crypt /dev/sda4 none luks" >> /etc/crypttab
echo "sdb1_crypt /dev/sdb1 none luks" >> /etc/crypttab
blkid /dev/sda4
blkid /dev/sdb1
echo "cryptodisk UUID=63a28f07-6f16-4b00-93a1-1c95614efafb none luks" >> /etc/crypttab
echo "cryptodisk UUID=63a28f07-6f16-4b00-93a1-1c95614efafb none luks" >> /etc/crypttab
update-initramfs -k all -c

Insert the UUIDs from the two partitions
Note: Normaly the UUID part should not be needed because, but it could prevent problems.

4. Exit chroot
5. Reboot

@deimi Thank you very much, it was really helpful!

@ps-spark you're welcome. Is it actually still valid or did you encounter something which has changed since 2019? I'm asking, because I switched to PopOS in the meantime, so I don't know the status of this as PopOS does a lot out of box regarding this.
So in the end if not all is valid anymore, we should mention this in the comments here

@deimi It worked like a charm without any changes :)