Optional: Using LUKS to encrypt the main partition
Nowadays encrypting storage devices is widely regarded best practice to protect user data, for instance in case of theft or as a measurement against espionage or stalking. On Linux this is usually realized via the Linux Unified Key Setup (LUKS) on top of the kernel's dm-crypt disk encryption system. The cryptsetup application is the reference implementation of LUKS and is used to manage encrypted storage and associated passphrases and keys.
Encrypting the main partition will make the creation of an initial RAM file system (initramfs) later on in the installation process mandatory - otherwise the kernel won't be able to access the rootfs. Also, the kernel must be configured to support device encryption.
To encrypt the main partition of the default partitioning scheme use cryptsetup and specify the cipher to use with the command line argument
-c aes-xts-plain64 (the default), the keysize with
-s 512 and the hash with
-h sha512. To ensure that instead of the legacy LUKS version the modern LUKS2 is used, pass the parameter
TODO: correct output
cryptsetup luksFormat --type luks2 -c aes-xts-plain64 -s 512 -h sha512
Enter password: Second time:
This will ask for a password that in future can be used to unlock the encrypted partition.
Before a filesystem can be created on the newly encrypted partition, it needs to be unlocked. In the example it will be named
main_crypt and thus afterwards be mapped to the device handle /dev/mapper/main_crypt. Make the main partition accessible with:
cryptsetup open main_crypt
At the password prompt, enter the password chosen before. If no error is shown the device should be unlocked now.