Hybrid Ubuntu with /home in an hdd encrypted

So, I bought an SSD and I'm planning to install Ubuntu 20.04 in it. As I've read before if I do a full disk encryptation I may lose SSD performance. So I thought about doing this:

I want to install the system in the SSD but move the /home to a HDD. The tricky part is that I want just the HDD (and my sensitive content) to be encrypted.
How could I make this?

I saw a lot of tutorials about the case of a hybrid installation with the SSD+HDD encrypted, which is different of what I want.

To do what I want I thought about installing the Ubuntu normally at the SSD. Creating a partition in my HDD, encrypt it and then move the /home folder. But I don't know if it would work since... For example: how could I automatic decrypt this HDD in the system startup?

I accept any help.

Yes, you can do what you are describing. I do exactly the same myself, install the OS on an SSD partition unencrypted, and mount an encrypted partition into /home/$USER.

Start by installing the system on your SSD partition as usual, choose your username (I assume username below) and then boot into your new system.

After that there are basically four steps you need to follow:

1. Create an encrypted partition to serve as home

I will not detail this as you will find enough tutorials on this. Let me know if a step-by-step description is desired. Basically you prepare the partition of your choice as a LUKS-encrypted partition using cryptsetup and format it with a file system of your choice.

2. Copy your home folder contents to the new encrypted partition

Mount your new encrypted partition somewhere and copy the contents from the /home/username folder of your newly installed system into it, so after reboot everything is in place.

3. Add the encrypted home partition to /etc/crypttab

You will then need to add that encrypted partition to your /etc/crypttab file on your new system. The line to add looks like this:

cryptHome UUID=64342713-8b12-49a3-9238-390f0d87803f none luks

Note that cryptHome is a freely choosable identifier you will need in the next step. none just tells it not to use a keyfile and ask for the password interactively on boot. luks is the encryption type.

To find the UUID to use here, do lsblk -f and find the partition you encrypted in step 1. The UUID you want is the one with crypto_LUKS as file system.

4. Add the mapped LUKS partition to etc/fstab

Finally, you need to add the mapped device (after it has been decrypted by cryptsetup) to your fstab to be mounted automatically on /home/username. The line to add looks like this:

/dev/mapper/cryptHome /home/username jfs defaults 0 2

Adapt to the identifier you used in /etc/crypttab, the actual name of your user and the actual file system you used to format your encrypted partition.

Reboot

After reboot, the system will ask you for the passphrase to decrypt the encrypted partition, and then for your user account password as usual. You should be all set with the encrypted partition mounted under /home/username.

Of course this procedure also works with any other encrypted partitions that you want to unlock and mount on boot.