Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: How2 install 12.3 encrypted LVM with TWO physical HD's

  1. #1

    Default How2 install 12.3 encrypted LVM with TWO physical HD's

    Hello Forumers,

    Due to a hard disk crash on my wonderful 12.1 machine I take the opportunity to do a fresh install with 12.3.
    I have two empty Harddisks (each 2 TB) and want to install an encrypted LVM using both of these HD's.

    However, the installer only uses ONE of those two disks to install the encrypted LVM.
    I found no way to make him use both. Using the expert partitioner within install does not give me the possibility to encrypt the LVM.

    So I installed on just one HD and wanted to add the second HD later in Yast to that volume group. But I found no way for this. I tried to add a second volume group using the second HD, but then Yast chrashed.

    After that, sadly sadly, Opensuse 12.3 does not support boot.crypto anymore I am forced to use LVM. OK, as I have no choice, I accept.

    But hell, how can I use both of my disks encrypted (except the /boot partition)? Can anybody bring me on the right way? I googled with absolutely no usable results...

    regards

    Daniel

    b.t.w. I tried various installations. I deleted all partitions. No success. I added each one unformated partition to the HDs. No success. I tried to add the second HD to the volume group (or adding a second volume group) without partition, with unformatted partition, and with formatted partition...

  2. #2
    Join Date
    Sep 2012
    Posts
    5,119

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by danielbasel View Post
    However, the installer only uses ONE of those two disks to install the encrypted LVM.
    What exactly you call "encrypted LVM"? Please explain what configuration you try to achieve in details. Of course I can create two encrypted devices and volume group on top of them. This will give me fully encrypted LVM.
    Using the expert partitioner within install does not give me the possibility to encrypt the LVM.
    Yes, this is currently missing. Assuming we speak about the same. Please explain step by step what you do.

    So I installed on just one HD and wanted to add the second HD later in Yast to that volume group. But I found no way for this. I tried to add a second volume group using the second HD, but then Yast chrashed.
    Again your description is far too vague to be useful.

    After that, sadly sadly, Opensuse 12.3 does not support boot.crypto anymore I am forced to use LVM.
    Nobody was able to explain what is broken without boot.crypto. So far it is just town legend.

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,608
    Blog Entries
    3

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by danielbasel View Post
    Using the expert partitioner within install does not give me the possibility to encrypt the LVM.
    The ability to setup an encrypted LVM during install does seem limited.

    I have been successful booting from a live CD (or, actually USB), and setting it up with Yast. Then, when installing at a later time, the installer will use the encrypted LVM, though that might require the expert partitioner.

    I have not tried this with an LVM that spans two disks.
    Quote Originally Posted by danielbasel View Post
    After that, sadly sadly, Opensuse 12.3 does not support boot.crypto anymore I am forced to use LVM. OK, as I have no choice, I accept.
    I'm not sure what "boot.crypto" problem you are having. As far as I know, systemd does the same thing.

    I have a system setup with encrypted swap and encrypted "/home", and it is working just fine.

    One suggestion that I have seen: Setup your system with an encrypted LVM containing only the root file system. Then, after install, setup encrypted swap and encrypted "/home" separate from the LVM.[/QUOTE]
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by arvidjaar View Post
    What exactly you call "encrypted LVM"? Please explain what configuration you try to achieve in details. Of course I can create two encrypted devices and volume group on top of them. This will give me fully encrypted LVM.
    (I use the german version, so my translations will differ from what english installer actually shows...)

    I boot the OS 12.3 installer dvd and go thru the steps until I can select the disk layout. There I choose "Use LVM", "make separate /home" and check "encrypt LVM".

    The installer creates a partition table (that I can see after clicking "edit partition"): a small /boot, and encrypted LVM volume group, containing /, /home and swap. All on the first physical HD, the second remains unused (and can be seen under "unused devices".

    ...

    Again your description is far too vague to be useful.
    I simply accepted the partition layout as the installer gave (see above) and finished the install. Booted and let the installation complete. Then rebooted, went to Yast and searched for a way to add the second physical HD to the encrypted volume group, so that it will be part of that and encrypted as well.

    I can't give you a list of all the ways I tried (too many), but I found no way to add the second physical drive.

    Nobody was able to explain what is broken without boot.crypto. So far it is just town legend.
    On my last system (12.1) I had a /boot partition, and encrypted my other partitions (not LVM) /root, /home, swap using cryptsetup, installed the filesystem on them, adjusted fstab etc. I needed to run boot.crypto so that at boot the password was asked. I had to enter the password only once and all three partitions were available for use.

    I'd be more than happy if I can achieve the same without having to use LVM.

    I read that systemd now takes the task of what earlier did boot.crypto, but I have not found any description of how to achieve, that at boot the password for the encrypted /root will be asked and then the other encrypted partitions (/home and /swap) will be mounted using the passphrase that is saved in /root.

    I really googled a lot, but al I found was "systemd makes boot.crypto obsolete". But I can't find out what I have to do. This is the ONLY reason why I tried with LVM.

    However my computer is still empty and I can try out what ever somebody suggests... If only in the end I have a fully encrypted system :-)

    regards

    Daniel

  5. #5

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by arvidjaar View Post
    Of course I can create two encrypted devices and volume group on top of them. This will give me fully encrypted LVM.
    I also tried another approach with the installer:

    After choosing "Use LVM" just as above, I clicked "create partitions". There I created a /boot (to format with ext2), and a UNformatted partiton with remaining space on physical drive 1, and a UNformatted partition of the complete available space on physical drive 2. When creating those unformatted partitions I selected "encrypt device" and entered the passphrase, for both the same.

    Then I created a volume group using "Volume manager", added the two unformatted, encrypted partitions, and created /, /home and swap as logical volumes within that volume group. lt went fine. But at boot I am asked 3 times for the passphrase. First "Please enter LUKS passphrase", after that "enter passphrase for disk 1" and the same for disk 2. Then it boots and works normal. But entering the passphrase 3 times is really too much...

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    On 2013-04-04 05:16, arvidjaar wrote:
    >> After that, sadly sadly, Opensuse 12.3 does not support boot.crypto
    >> > anymore I am forced to use LVM.

    > Nobody was able to explain what is broken without boot.crypto. So far
    > it is just town legend.


    Nobody has documented how to do with systemd what we did with
    boot.crypto, AFAIK.


    For example, to manually mount an encrypted data partition, that is not
    mounted at boot, I currently do:

    Code:
    
    > Telcontar:~ # rccrypto start cr_other
    > Unlocking cr_other (/dev/disk/by-id/ata-ST3500418AS_9VM7ZCQQ-part10)
    > Enter passphrase for /dev/disk/by-id/ata-ST3500418AS_9VM7ZCQQ-part10:
    > [/sbin/fsck.xfs (1) -- /data/other] fsck.xfs -a /dev/mapper/cr_other
    > /sbin/fsck.xfs: XFS file system.
    > cr_other...                                             done
    > Telcontar:~ #
    This takes configuration data from fstab and /etc/crypttab. Notice that
    the above sequence is also doing an fsck previous to mounting the partition.


    How do I do all that with systemd?


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  7. #7
    Join Date
    Sep 2012
    Posts
    5,119

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by robin_listas View Post

    This takes configuration data from fstab and /etc/crypttab.

    How do I do all that with systemd?
    Surprise - systemd takes configuration data from fstab and /etc/crypttab. So I once more try to ask - what does not work? The fact that systemd does not cache and reuse passphrase for multiple containers is known, but it hardly qualifies as "broken".

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    On 2013-04-04 13:26, arvidjaar wrote:
    > So I once more try to ask - what does *not* work?


    Again: how do I manually mount an encrypted partition at a moment of my
    choosing, not at boot? Ie, the command I posted, what is the systemd
    equivalent? Including the fsck, of course.

    > The
    > fact that systemd does not cache and reuse passphrase for multiple
    > containers is known, but it hardly qualifies as "broken".


    I would call that as a broken feature, yes. :-)

    It means that you have to use a single LVM container instead of plain
    partitions, or suffer multiple prompts for the same password.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  9. #9
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,608
    Blog Entries
    3

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by danielbasel View Post
    Then I created a volume group using "Volume manager", added the two unformatted, encrypted partitions, and created /, /home and swap as logical volumes within that volume group. lt went fine. But at boot I am asked 3 times for the passphrase. First "Please enter LUKS passphrase", after that "enter passphrase for disk 1" and the same for disk 2. Then it boots and works normal. But entering the passphrase 3 times is really too much...
    I don't have a multi-disk setup where I could try that here.

    What I would do, in that case, is run:
    Code:
    # mkinitrd
    to rebuild the "initrd". My experience with crypto, is that the initrd is built based on the currently running system. When this is done during install, it is done in a "chroot" environment, which doesn't always get everything right. Another "mkinitrd" done after booting the real system will do a better job.

    I don't know if it will fix your problem. Normally, "plymouth" is supposed to handle the crypto, caching the passphrase. And the "initrd" is supposed to guide some of that.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  10. #10
    Join Date
    Sep 2012
    Posts
    5,119

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by danielbasel View Post
    I found no way to add the second physical drive.
    Yes, this looks one of those YaST limitations (unrelated to systemd). And even when I try to create simple encrypted partition without using it for something else, it fails - not even partition itself is created.

    It is possible during initial installation though - manually create (encrypted) partitions, create new volume group and add all these partition at once when creating new group. This works.

    Care to file bug report about inability to extend volume group?

Page 1 of 4 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •