I used the last openSUSE Leap releases and had a LUKS setup with encryption. Everything was fine. Right now I try the new Leap RC and I have two problems. I am not that experienced with Linux and I don’t know if it’s my personal problem or if I found bugs.
Now I can select LVM and Encryption, but LVM is not required for Encryption anymore. Whatever, if I try to setup this for my Aspire E 11 notebook, I have to enter my password twice during the boot procedure. First, for grub during the inital notebook splash screen. Then I can select an entry in grub and again I have to enter the password for a second time. Why is there the inital (very slow) request in grub now? How can I avoid this because my password is not that short and I don’t want to type it twice…
The used password, at least for the first request via grub, is based on the used keyboard layout. I guess this was a bug some leap versions ago. If I choose the English (US) keyboard layout instead of the german one during the installation setup, I can enter my password during the boot procedure without problems. Is this an (un)known bug or a problem with my notebook / setup?
Would be nice, if someone can provide a link or something so that I can get some additional information about (at least the first) bullet point.
In my opinion, it is still best to use an encrypted LVM.
Yes, you can no encrypt the root partition without using an LVM. But you really need to encrypt “/home” and swap as well. Using an encrypted LVM achieves all of those.
Entering the password twice: To avoid that, you would need a separate unencrypted “/boot”. If you are using “btrfs”, it is better to not have a separate unencrypted “/boot”. If you are not using “btrfs”, then you can try that. But you would need to use the expert partitioner.
As for why the two password prompts: The first is for “grub” to access the encrypted partition to find your boot menu. That’s slow, because “grub” has to depend on BIOS i/o services to read the disk. The second prompt is needed for the kernel to be able to read the partition. There isn’t a secure way for “grub” to communicate that password to the kernel.
You can try that if it is important enough. Personally, I prefer to enter the password twice, because I think that’s a bit more secure.
As for the keyboard problem: I normally use the US keyboard, so I don’t run into that. But the problem, in general, is that you have to provide the encryption key early during boot, before the system knows what keyboard encoding you are using. The information you have configured for keyboard encoding is in the encrypted partition, and not available to the system until after you have given the password for decryption. So it is probably always safest to use a password that does not depend on the keyboard encoding.
I guess I will try it. Maybe I get used to it. My reason for encryption is the protection against data loss due to loosing the notebook (thieves in the real world). I don’t think someone will modify my boot partition or something like this, it is enough if a thieve cannot read pictures, documents and other personal information. So for my use case it should be fine to encrypt home and swap as far as I understand. However, I will not modify the setup to decrease the security level intentionally.
Okay. I thought that I knew the problem from an earlier Leap version. I try to mix as many characters as possible (not only alphanumeric characters). Of course I like to use some German keys / special characters and it does not matter for me what they are used for in the US layout (some other special characters normally). However, I’ld expect the installer to use the US layout for the LUKS password textbox in all cases. My workaround: I use the US layout for the setup. Unfortunately, I have to use y and z (the keys are swapped for US / German layouts) during the setup and I cannot use “ü” at all.
