I'm reinstalling Ubuntu, and want to do full disk encryption. After selecting it, I'm given a choice to also encrypt the Home folder.
Since Ubuntu doesn't use a separate partition for the Home folder (afaik), wouldn't full disk encryption already cover the Home folder? Does adding Home folder encryption add more security of some kind?
"It depends".
Whole disk encryption will use LUKS and everything but /boot will be encrypted, including your data in /home.
This prevents unauthorized access to the system from a cold boot. Once the system is fully booted, however, everything, including /home, is decrypted.
Encrypting /home uses ecryptfs and your home directory will be encrypted when you are not logged in. This prevents root or other uses from accessing your data in /home. Your data, however, is decrypted as long as you are logged in.
If you're using the guided full disk encryption you're home partition will be part of the encrypted LVM and thus you're right it is already covered by that.
I think it will add hardly any security but complexity if you still encode you're homefolder. (transparent encode within block level encode)
A possible usecase might be that you share the machine with other users (who know the disk-passphrase) and you want your data inaccessible by them.
So I basically just aggree with your guesses :]
Only Full Disk Encryption is standard with 18.04, Home encryption is gone from the installer.
After making a fully encrypted installation to USB I examined the results with both Disks and GParted.
The encrypted extended partition was fully encrypted. Swap is a file within this partition, (and not a partition on its own), and is also encrypted.
Home is a directory within the encrypted partition and thus is also encrypted.
The Boot partition is not encrypted. The disk must first be booted before it can be decrypted.
I think that option covers the case in which you choose to put the home folder in another drive/partition. Notice how you can set different mount points in different drives/partitions when you choose "Something else" during the "Installation type" step of the installation process:
This is the only picture i could found, it's from an old distribution, but the same still applies to the latest releases
21.04 update
I passed by this question while I was looking for an answer for the same probleme. And I managed to do the same thing successfully on Ubuntu 21.04 desktop. Using the following answer:
How do I install 18.04 using full disk encryption with two drives (SSD/HDD)
