Results 1 to 4 of 4

Thread: Disk Encryption During Install Time Issues

  1. #1

    Default Disk Encryption During Install Time Issues

    1. During TW installation, if there's an encrypted volume present on the HDD, the install will ask to unlock it. Unlocking it makes automatic partitioning fail later on. If the volume isn't unlocked, I can use the Entire Disk install method (with the following issue)

    2. If I use automatic partitioning and try to use encryption, the wizard will want to add both a /boot/efi and /boot partition (the latter being an unknown Linux Native partition). Both partitions are the same size. Continuing with install will result in a -3005 error during the partitioning phase. Using automatic partitioning followed by using Expert Partitioning and then removing the /boot partition will allow installation to succeed and work afterwards.

    3. After install, I'm asked for my drive passphrase twice (once by GRUB, and again during boot). I don't think I've ever seen GRUB ask for a passphrase before (Ubuntu and Fedora both only ask once during boot).

    I'm using the latest TW installation media (April 05) and installing via UEFI. I'm using XFS on my root partition and no separate Home partition, along with LVM + Encryption.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    9,154
    Blog Entries
    3

    Default Re: Disk Encryption During Install Time Issues

    I must be doing things differently.

    I do use an encrypted LVM. I first did that with opensuse 11.4 (if my memory is correct), and allowed the installer to make most of the decisions. That was on an older computer with limited disk space, so there wasn't much flexibility possible.

    I later tried on a newer computer (also opensuse 11.4), and found it hard to persuade the installer to partition the way that I want it.

    What I have settled on to solve that problem, and what I always use now, is:

    Partition first before install. Setup encryption first before install. Setup LVM first before install..

    I normally use "fdisk" from the command line to partition. I then encrypt, either using "cryptsetup" from the command line, or using Yast partitioner (probably booted to a live CD or similar). I then use Yast partitioner to create the LVM, and divide it into volumes.

    My experience with Yast partitioner, is that it is best to create the partition with type code 83. If I set the type code to that for an LVM, it confused Yast. The basic method is to create the LVM as a logical entity, then add space to it. And Yast will add space from an encrypted partition, but it is confused it I try to add space from what it thinks is an existing LVM. So leave the partition type code at 83. Open it with "cryptsetup" or Yast partitioner (i.e. assign a virtual "/dev/mapper/name" to access it. Then add that space to the LVM.

    For the actual install, I select "create partitioning" in the partitioning section of install. Next, I choose "custom partitioning". That gives me a list of partitions and logical volumes. I then right click as select "Edit" to tell the partitioner what to do with particular partitions and/or logical volumes. Installs usually go smoothly. My most recent install was with Tumbleweed 20150330 a few days ago -- mostly a trial install to test the installer.

    As for "/boot" and "/boot/efi": If you have UEFI hardware and booted the installer in UEFI mode, then it will want "/boot/efi". With Tumbleweed, it does not insist on a separate "/boot", though you probably want one.

    "/boot/efi" needs to be a FAT formatted partition. If you have a UEFI computer, then it probably came with an existing EFI partition. It is best to use that. DO NOT reformat. Just accept its current format. The install will create its own subdirectory "opensuse" within that EFI partition, and put a small amount of data there.

    Here's what I have there on my opensuse 13.2 desktop:
    Code:
    ls -l /boot/efi/EFI/opensuse
    total 3544
    -rwxrwxr-x 1 root root      58 Nov  1 07:43 boot.csv
    -rwxrwxr-x 1 root root     150 Nov  1 07:43 grub.cfg
    -rwxrwxr-x 1 root root  918392 Nov  1 07:43 grub.efi
    -rwxrwxr-x 1 root root  119296 Nov  1 07:43 grubx64.efi
    -rwxrwxr-x 1 root root 1276328 Nov  1 07:43 MokManager.efi
    -rwxrwxr-x 1 root root 1286112 Nov  1 07:43 shim.efi
    I normally use a separate partition for "/boot", which I format as "ext2". That will contain the kernels, part of the grub boot software, the "initrd" files. Those are outside of the encrypted space. Boot loads a kernel and initrd, and then software from the "initrd" opens the encrypted LVM so that the encrypted space is available to the rest of the system startup.

    It is possible to avoid a separate "/boot", but at present you will need to disable secure-boot for that to work. There's a fix that has been submitted for this (bug 917427), but the fix has not yet made it into Tumbleweed. If you do not use a separate unencryted "/boot", then you will be prompted twice for the encryption. The first time will be prompting by "grub2" or "grub2-efi" so that it can access the kernel and "initrd". The second prompt will come from running linux code in the "initrd" used to make the encrypted LVM accessible for the rest of startup.

    I probably gave too much information above (more than you wanted). But feel free to ask for additional details or explanations as needed.
    opensuse Leap 42.3; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  3. #3
    Join Date
    Sep 2012
    Posts
    4,129

    Default Re: Disk Encryption During Install Time Issues

    Quote Originally Posted by nrickert View Post
    There's a fix that has been submitted for this (bug 917427), but the fix has not yet made it into Tumbleweed.
    What do you mean?
    Code:
    * Mon Feb 16 2015 arvidjaar@gmail.com
    - add luks, gcry_rijndael, gcry_sha1 to signed EFI image to support
      LUKS partition in default setup (boo#917427)

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    9,154
    Blog Entries
    3

    Default Re: Disk Encryption During Install Time Issues

    Quote Originally Posted by arvidjaar View Post
    What do you mean?
    I'm referring to:
    Code:
    I submitted as srid#287615 and should be rolling into tumbleweed update soon.

    (the final comment in the bug report.

    That change still has not rolled into Tumbleweed.
    opensuse Leap 42.3; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •