3.1.1 Configuring Encryption and /boot During Installation

During installation, if you select Encrypt my data on the Installation Destination screen and then perform manual partitioning, the Encrypt check box is not shown as selected on the Manual Partitioning screen. This check box refers to encryption that you can configure on a file system type that supports encryption or on an LVM logical volume that contains the file system. If you click Modify, the Encrypt check box on the Configure Volume screen is shown as selected for the volume, meaning that the encryption will be applied at the level of the underlying block device.

For LVM, selecting Encrypt my data encrypts the LVM physical volume and all the logical volumes that it contains. If you do not select Encrypt my data, you can encrypt the logical volume by selecting the Encrypt check box on the Manual Partitioning screen or encrypt the physical volume by selecting the Encrypt check box on the Configure Volume screen.

For btrfs, encryption can only be applied to the block device that contains the file system, including its subvolumes. For example, enabling encryption for the /home subvolume of a btrfs root file system implicitly enables encryption for the root file system itself. You can only select the Encrypt check box on the Configure Volume screen. As btrfs does not support encryption at the file-system level, you cannot select the Encrypt check box on the Manual Partitioning screen for a btrfs file system.

Do not select the Encrypt check box or a BTRFS, LVM, or LVM Thin Provisioning device type for /boot. The /boot file system must be configured on a standard partition and should be of type ext4 or XFS.

When entering a password in the Disk Encryption Passphrase dialog, press Tab to move between the entry fields. You cannot use the mouse to select the fields.