Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: About encrypted partitions during installtion - grub

  1. #1

    Default About encrypted partitions during installtion - grub

    Hello everyone,

    I have set up multiple new installations, starting with Windows then Leap 15 (/, /home and swap) and at last Tumbleweed (/, /home and swap).
    With TW I decided to set up encryption right during the installation process so that all partitions would be encrypted. So far so good.

    After the installation upon powering on the PC I get a password prompt before grub boot menu is being shown.
    I'm asked to type in the passphrase for hd2/gpt8 ID xxxxx, which should be the LUKS encrypted root partition of TW.
    After I type in the passphrase I get to the regular grub bootloader, screen where I can select Windows, Leap or TW. All of these boot fine.

    Upon starting TW I get prompted again for a passphrase, this time for the encrypted /home partition (which is the same passphrase as for /).

    My question:

    The way it seems to be working is that I have to type in my passphrase before I get to grub. Which means I cannot boot into Leap nor Windows without typing in the passphrase for TW.
    Could anyone explain why this is the case? Is there a way to set it up (in this case: change it) in a way, that it would only prompt for a passphrase when I select TW from grub?

    Thanks a lot.

    David

  2. #2

    Default Re: About encrypted partitions during installtion - grub

    How you want it is how my machine works. I, too, used encryption as part
    of the installation, but perhaps we did so differently.

    With my installation I chose to use LVM for partitioning, and then setup
    as follows:
    /boot (as its own partition)
    swap (as its own LVM volume)
    / (as its own LVM volume)
    /home (as its own LVM volume)

    During the install there is an option to encrypt with LVM, meaning
    everything in LVM (swap, /, and /home) is encrypted, and uses one
    passphrase, and is prompted-for after Grub decides to boot the Linux side
    of things.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by SF6 View Post
    Upon starting TW I get prompted again for a passphrase, this time for the encrypted /home partition (which is the same passphrase as for /).
    I would have expected a prompt for "/" if that is encrypted. That needs to be accessed and mounted before "/home".

    Could anyone explain why this is the case? Is there a way to set it up (in this case: change it) in a way, that it would only prompt for a passphrase when I select TW from grub?
    The grub menu is stored in "/boot/grub2/grub.cfg". And grub cannot access that without first decrypting the root partition.

    To avoid this, you would need a separate unencrypted "/boot" partition. And you might need to use the expert partitioner for this. I'm not sure, since I don't think I have installed TW with encryption since the switch to the new partitioner. Leap 15, which is using the new partitioner, is not suggesting a separate "/boot".

    And then there's the other issue. If you are using "btrfs" for the root file system, then that works best if you DO NOT have a separate "/boot".

    Personally, I am using:
    • a separate unencrypted "/boot";
    • an encrypted LVM with root, "/home", swap;
    • the "ext4" file system for root and for "/home".


    I do actually have one system where I have to give the encryption key twice (where "/boot" is part of the root file system and not a separate partition). I originally installed that with "btrfs", but decided that I didn't like it so I reinstalled with "ext4".
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4

    Default Re: About encrypted partitions during installtion - grub

    You can get a password prompt for encrypted LVM _after_ grub provided you are using Legacy BIOS mode. Thats how I currently have a multi-boot setup for tumbleweed on one of my systems. Like you, I wanted the convenience to select other operating systems without entering a password. Also, that way I am only prompted a single time (I don't encrypt home within the encrypted LUKs) for the password (not a password to get grub then after tumbleweed/leap.

    There is a downside to this that should have been obvious to me; but I didn't consider it at the time. You lose the ability to have snapshots in GRUB with BTRFS. Snapshots with btrfs really are one of the SUSE's advantages over other distributions. it gives you a parachute when things go wrong. I had an ah-ha moment early when trying leap using proprietary video card drivers that had a conflict and logged into black. No cursor, no terminal and the box didn't have remote access. I could have been a painful recovery process, but I simply rebooted and selected the previous snapshot automatically made when I added the drivers and was back again. I still have snapper, but having access through grub is nice. Without feeding grub the password you are not going to get access to the snaps.

    It sounds like you already have UEFI going so it maybe a moot point.

    You didn't ask about it and you can run your system as you please... so I maybe out of line here but have you looked at the performance hit from having encrypted home within LUKs? Especially since you are reusing passwords between LUKs and home

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by AnneSession View Post
    Also, that way I am only prompted a single time (I don't encrypt home within the encrypted LUKs) for the password (not a password to get grub then after tumbleweed/leap.
    That's actually not an issue.

    On my current desktop, I have an encrypted LVM. And I also have an encrypted data partition ("/shared"). I am only prompted once for the encryption key. That works because both (LVM and "/shared") use the same key. The code that prompts for keys (in "plymouth") tries the key it already has before prompting for a different key. And if you are not using "plymouth", then I'm pretty sure that "dracut" (the "initrd") does the same thing.

    There is a downside to this that should have been obvious to me; but I didn't consider it at the time. You lose the ability to have snapshots in GRUB with BTRFS.
    Yes, I think this is why the new installer (really, the new partitioner) is no longer suggesting a separate "/boot".

    You need "/boot" to be part of that "btrfs" partition, so that when you roll back to an earlier snapshot, that also rolls back the boot configuration.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  6. #6

    Default Re: About encrypted partitions during installtion - grub

    Thanks for all your help.
    I guess I made the mistake of using the guided partitioner instead of expert mode. This way I did not get a LVM but something else... hm it's encrypted but it forces the aforementioned behavior.

    Is there a way to revert this? Since this is only my "play around" PC I can easily reinstall TW. Now I have multiple partitions, one Windows, one for Leap 15 (/,/home and swap) and the same for TW (except these are encrypted).
    Can I now simply delete all TW partitions and boot from TW installation media and reinstall using LVM? Will this mess up my Grub bootloader?

    Thanks again.

  7. #7
    Join Date
    Sep 2012
    Posts
    5,141

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by SF6 View Post
    This way I did not get a LVM but something else... hm it's encrypted but it forces the aforementioned behavior.
    Whether it is LVM or not is irrelevant. What matters is whether /boot is located on encrypted filesystem or not. What you got is plain encrypted partition without LVM which is finally possible now.

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by SF6 View Post
    Can I now simply delete all TW partitions and boot from TW installation media and reinstall using LVM? Will this mess up my Grub bootloader?
    Yes, you can do that. But unless you know what you are doing, it might be a bit confusing.

    Here is my suggestion:
    1. Make sure you know which partition is which, so you know what you will be deleting.
    2. Boot the installer. When you see the license screen (right at the beginning), use CTRL-ALT-F2 which will get you a command line. On that command line, run the "fdisk" command. Use that to delete the TW partitions, and to add a 500M partition for "/boot".
    3. Now use CTRL-ALT-F7 to get back to the graphic installer screen.
    4. Use guided partitioning. You can tell it to use an LVM and to encrypt it.
    5. The go to expert partitioner, with the option to start with the proposal.
    6. Find the partition you created for "/boot" (in left column), and set that to format and mount as "/boot"


    If you are not familiar with using "fdisk", then I suggest that you practice that before you start. You can do a trial run, and change whatever you like. As long as you quit without saving the changes, you haven't actually changed the disk setup.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  9. #9

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by nrickert View Post
    Yes, you can do that. But unless you know what you are doing, it might be a bit confusing.

    Here is my suggestion:
    1. Find the partition you created for "/boot" (in left column), and set that to format and mount as "/boot"
    Thanks a lot for this step by step guidelines

    One more question: What will happen to my old boot partition? Matter of fact, I don't even know what this partition is - probably created by Microsoft since I installed WIndows first. When installing Leap 15 and TW they both automatically chose this partition as mount point /boot/efi.

    To summarize I have the following partitions on /dev/nvme0n1xx
    1. p1 MS WIndows Recovery , NTFS, that's some WIndows stuff
    2. p2 EFI, FAT32 mounted at /boot/efi (currently in TW)
    3. p3 17MB, some Windows stuff
    4. p4 Basic Data, NTFS (that's Windows 10)
    5. p5 Ext4, Leap 15 / partition
    6. p5 Swap (for Leap 15)
    7. p7 Ext4, Leap 15 /home partition
    8. p8 LUKS, / TW
    9. p9 LUKS /home (after grub I get asked for this passphrase to mount /home)
    10. p10 Swap (for TW)

    So do I keep p2 and simply delete p8, p9, p10 and create a "new" p8* which will be boot and then follow your instructions, create LVW with the built in partitioner and make sure the new p8* boot will be the mount point for TW?
    So the other partitions, including p2 won't be touched at all?

    Thanks again

  10. #10

    Default Re: About encrypted partitions during installtion - grub

    Quote Originally Posted by AnneSession View Post

    You didn't ask about it and you can run your system as you please... so I maybe out of line here but have you looked at the performance hit from having encrypted home within LUKs? Especially since you are reusing passwords between LUKs and home
    Not quite sure if I understand. Have I accidentially encrypted twice?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •