How to enrcypt only home without encrypting grub?

I’m trying to install Tumbleweed with encryption, and the problem is that I have to enter the encryption key twice. I did a search and found this post by “nrickert” from 2019, and followed the instruction.

“The easy way to do this with openSUSE:
At the partitioning step, you are offered a suggested (proposed) partitioning.
There’s a button you can click for “Guided Setup”. Click on that.
In the next screen (or second screen), check the box to use an LVM. Once you select that, there should also be a box to encrypt the LVM.
There, or on a later screen, there is a place where you can say that you want a separate “/home”. I suggest that. The wording might say “home partition” but it should give you a home logical volume in the LVM.
You should finish up with a partitioning proposal:
An EFI partition if this is a UEFI system);
An encrypted LVM with volumes for root, home, swap”.

Well I did that. When you check on LVM box you also have to check the encryption box so you can enter the encryption password. After that everything is automated. In other words I didn’t get an option just to encrypt the home partition volume, and leave the grub alone. So I’m back to square one. How can I encrypt the hard home partition and leave the grub alone?

Check out the following article about this very thing. This is what I use and it works great. You have to do it after you’ve already finished installing. You get the best of both worlds, full disk encryption but you only enter the password once. :slight_smile:
https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice

Since you mentioned me, I’ll comment some more.

I normally use a separate unencrypted “/boot”. Because of that, I only need to enter the encryption key once.

I am not using “btrfs”. If you are using “btrfs”, then it is best to not have a separate “/boot”. That’s so that if you rollback to an earlier snapshot, you will also rollback the kernel. Otherwise things can get confusing. In that case, you can use the suggestion of post #2 in this thread.

Alternatively, consider using an encrypted LVM with only the “/home” and swap file systems. Based on the thread title, that’s closer to what you asked for. But you may need to setup the LVM yourself. Another possibility is to use the guided setup, and tell it that you want a separate “/home”. And then there should be a choice to encrypt that “/home”. But it is best to also encrypt swap.

If you use the same encryption key for “/home” and swap, it should only be requested once during boot.