How do I preseed encrypting just the root partition?

I have 3 partitions: EFI (/boot/efi), boot (/boot) and root (/). I want to encrypt just /. I can do this manually via the installer, but I want to preseed it.

How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ / }
  .

How do I make sda3 be a physical partition for LUKS-encryption and then have a filesystem on top of that?

UPDATE:

I discovered that I can set the partition to be crypto as below, but there are still 3 issues:

  1. I still need to create and activate the encrypted volumes on the chosen partition
  2. I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
  3. The recipe doesn't select the encryption type to dm-crypt which is required for creating and activating the encrypted volumes.

Still struggling mightily

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    method{ crypto } format{ }
  .

Solution 1:

At first, open a root terminal:

sudo -i

Then fill the partition, which should be encrypted, with random data using a command like this:

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy

You have to replace sdxy with the partition which will be encrypted. Then type

cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy

to encrypt the partition sdxy. Open the volume and name it root:

cryptsetup luksOpen /dev/sdxy root

Use this command to make an ext4 filesystem inside it:

mkfs.ext4 /dev/mapper/root

Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your root partition, select /dev/mapper/root, click "Change". Then select ext4 for the filesystem type and set the mount point to /. Then click "Install now" and install Ubuntu normally.

When finished installing click "Continue testing". Open a terminal and type:

sudo -i
cd /mnt
mkdir root
mount /dev/mapper/root root
mount /dev/sdyz root/boot

sdyz should be replaced with your boot partition. Next, type:

chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
nano /etc/crypttab

Open a second terminal and type sudo blkid. Find the UUID for root (the one that says crypto_luks in the end) and paste it into /etc/crypttab. Then the file /etc/crypttab should look something like this:

root UUID=d68911dd-172a-4608-86d4-084eb72f409c none luks

Close the file with Ctrl+x, y and Enter. Type nano /etc/fstab in the terminal and check if everything looks right (e.g. the UUIDs).

At last, quit the chroot environment and type:

cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/root.img

This puts an image of the header of the encrypted partition into the folder /root and names it root.img. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.

Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu