About encrypted partitions during installtion - grub

Hello everyone,

I have set up multiple new installations, starting with Windows then Leap 15 (/, /home and swap) and at last Tumbleweed (/, /home and swap).
With TW I decided to set up encryption right during the installation process so that all partitions would be encrypted. So far so good.

After the installation upon powering on the PC I get a password prompt before grub boot menu is being shown.
I’m asked to type in the passphrase for hd2/gpt8 ID xxxxx, which should be the LUKS encrypted root partition of TW.
After I type in the passphrase I get to the regular grub bootloader, screen where I can select Windows, Leap or TW. All of these boot fine.

Upon starting TW I get prompted again for a passphrase, this time for the encrypted /home partition (which is the same passphrase as for /).

**My question:
**
The way it seems to be working is that I have to type in my passphrase before I get to grub. Which means I cannot boot into Leap nor Windows without typing in the passphrase for TW.
Could anyone explain why this is the case? Is there a way to set it up (in this case: change it) in a way, that it would only prompt for a passphrase when I select TW from grub?

Thanks a lot.

David

How you want it is how my machine works. I, too, used encryption as part
of the installation, but perhaps we did so differently.

With my installation I chose to use LVM for partitioning, and then setup
as follows:
/boot (as its own partition)
swap (as its own LVM volume)
/ (as its own LVM volume)
/home (as its own LVM volume)

During the install there is an option to encrypt with LVM, meaning
everything in LVM (swap, /, and /home) is encrypted, and uses one
passphrase, and is prompted-for after Grub decides to boot the Linux side
of things.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

I would have expected a prompt for “/” if that is encrypted. That needs to be accessed and mounted before “/home”.

Could anyone explain why this is the case? Is there a way to set it up (in this case: change it) in a way, that it would only prompt for a passphrase when I select TW from grub?

The grub menu is stored in “/boot/grub2/grub.cfg”. And grub cannot access that without first decrypting the root partition.

To avoid this, you would need a separate unencrypted “/boot” partition. And you might need to use the expert partitioner for this. I’m not sure, since I don’t think I have installed TW with encryption since the switch to the new partitioner. Leap 15, which is using the new partitioner, is not suggesting a separate “/boot”.

And then there’s the other issue. If you are using “btrfs” for the root file system, then that works best if you DO NOT have a separate “/boot”.

Personally, I am using:

  • a separate unencrypted “/boot”;
  • an encrypted LVM with root, “/home”, swap;
  • the “ext4” file system for root and for “/home”.

I do actually have one system where I have to give the encryption key twice (where “/boot” is part of the root file system and not a separate partition). I originally installed that with “btrfs”, but decided that I didn’t like it so I reinstalled with “ext4”.

You can get a password prompt for encrypted LVM after grub provided you are using Legacy BIOS mode. Thats how I currently have a multi-boot setup for tumbleweed on one of my systems. Like you, I wanted the convenience to select other operating systems without entering a password. Also, that way I am only prompted a single time (I don’t encrypt home within the encrypted LUKs) for the password (not a password to get grub then after tumbleweed/leap.

There is a downside to this that should have been obvious to me; but I didn’t consider it at the time. You lose the ability to have snapshots in GRUB with BTRFS. Snapshots with btrfs really are one of the SUSE’s advantages over other distributions. it gives you a parachute when things go wrong. I had an ah-ha moment early when trying leap using proprietary video card drivers that had a conflict and logged into black. No cursor, no terminal and the box didn’t have remote access. I could have been a painful recovery process, but I simply rebooted and selected the previous snapshot automatically made when I added the drivers and was back again. I still have snapper, but having access through grub is nice. Without feeding grub the password you are not going to get access to the snaps.

It sounds like you already have UEFI going so it maybe a moot point.

You didn’t ask about it and you can run your system as you please… so I maybe out of line here but have you looked at the performance hit from having encrypted home within LUKs? Especially since you are reusing passwords between LUKs and home

That’s actually not an issue.

On my current desktop, I have an encrypted LVM. And I also have an encrypted data partition (“/shared”). I am only prompted once for the encryption key. That works because both (LVM and “/shared”) use the same key. The code that prompts for keys (in “plymouth”) tries the key it already has before prompting for a different key. And if you are not using “plymouth”, then I’m pretty sure that “dracut” (the “initrd”) does the same thing.

There is a downside to this that should have been obvious to me; but I didn’t consider it at the time. You lose the ability to have snapshots in GRUB with BTRFS.

Yes, I think this is why the new installer (really, the new partitioner) is no longer suggesting a separate “/boot”.

You need “/boot” to be part of that “btrfs” partition, so that when you roll back to an earlier snapshot, that also rolls back the boot configuration.

Thanks for all your help.
I guess I made the mistake of using the guided partitioner instead of expert mode. This way I did not get a LVM but something else… hm it’s encrypted but it forces the aforementioned behavior.

Is there a way to revert this? Since this is only my “play around” PC I can easily reinstall TW. Now I have multiple partitions, one Windows, one for Leap 15 (/,/home and swap) and the same for TW (except these are encrypted).
Can I now simply delete all TW partitions and boot from TW installation media and reinstall using LVM? Will this mess up my Grub bootloader?

Thanks again.

Whether it is LVM or not is irrelevant. What matters is whether /boot is located on encrypted filesystem or not. What you got is plain encrypted partition without LVM which is finally possible now.

Yes, you can do that. But unless you know what you are doing, it might be a bit confusing.

Here is my suggestion:

  1. Make sure you know which partition is which, so you know what you will be deleting.
  2. Boot the installer. When you see the license screen (right at the beginning), use CTRL-ALT-F2 which will get you a command line. On that command line, run the “fdisk” command. Use that to delete the TW partitions, and to add a 500M partition for “/boot”.
  3. Now use CTRL-ALT-F7 to get back to the graphic installer screen.
  4. Use guided partitioning. You can tell it to use an LVM and to encrypt it.
  5. The go to expert partitioner, with the option to start with the proposal.
  6. Find the partition you created for “/boot” (in left column), and set that to format and mount as “/boot”

If you are not familiar with using “fdisk”, then I suggest that you practice that before you start. You can do a trial run, and change whatever you like. As long as you quit without saving the changes, you haven’t actually changed the disk setup.

Thanks a lot for this step by step guidelines :slight_smile:

One more question: What will happen to my old boot partition? Matter of fact, I don’t even know what this partition is - probably created by Microsoft since I installed WIndows first. When installing Leap 15 and TW they both automatically chose this partition as mount point /boot/efi.

To summarize I have the following partitions on /dev/nvme0n1xx

  1. p1 MS WIndows Recovery , NTFS, that’s some WIndows stuff
  2. p2 EFI, FAT32 mounted at /boot/efi (currently in TW)
  3. p3 17MB, some Windows stuff
  4. p4 Basic Data, NTFS (that’s Windows 10)
  5. p5 Ext4, Leap 15 / partition
  6. p5 Swap (for Leap 15)
  7. p7 Ext4, Leap 15 /home partition
  8. p8 LUKS, / TW
  9. p9 LUKS /home (after grub I get asked for this passphrase to mount /home)
  10. p10 Swap (for TW)

So do I keep p2 and simply delete p8, p9, p10 and create a “new” p8* which will be boot and then follow your instructions, create LVW with the built in partitioner and make sure the new p8* boot will be the mount point for TW?
So the other partitions, including p2 won’t be touched at all?

Thanks again :slight_smile:

Not quite sure if I understand. Have I accidentially encrypted twice?

I’m beginning to understand :slight_smile:
Ok, since I don’t need snapshots on this machine I can follow @nrickert instructions and create a seperate /boot for TW and simply change the partitons to ext4, since snapshots won’t work anyway (this is my play around PC, my notebook on the otherhand only has one OS, which means I can use the recommended partioioning scheme OpenSUSE suggests, so I can retain the snapshot feature).

Yes, that’s about right. You need to keep p2. And you should set that to be mounted at “/boot/efi”. That’s needed on a UEFI system. So it’s not quite right that it won’t be touched. A directory named “opensuse” will be created (if it doesn’t already exist), and the EFI boot file will be put there. Those can co-exist with Microsoft stuff. Your new p8, which I suggested 500M, should be mounted at “/boot”. I normally format that with “ext2” because you don’t need a journaled file system for that, and grub does not read the journal anyway. Whether that will be “p8”, I don’t know – the numbering of partitions can get weird.

Note that it is possible to put root LUKS key in initrd so it is decrypted without user intervention. I actually described how to setup dracut for that on this forum in similar thread. As initrd itself is located on encrypted filesystem, it still provides reasonable protection in case your disk is stolen. Of course it leaves key accessible to rogue software while system is running.

Thanks at all. @ ](https://forums.opensuse.org/member.php/49759-nrickert) nrickert](https://forums.opensuse.org/member.php/49759-nrickert) your instructions have worked perfectly.

One more question:

After some updates in Leap 15 beta grub got changed somehow. Now it can’t find TW anymore (Windows it does). I think this has to do with the separate /boot partition. How do I tell grub to look for this /boot partition to boot into TW?

Thanks.

It is supposed to find that automatically.

Hmm, does “/boot” use “btrfs”? I think os-prober sometimes has trouble with “btrfs”. And I have noticed that the installer sometimes wants to use “btrfs” for “/boot”, which makes no sense for me.

You can add your own boot entries in “/etc/grub.d/40_custom”. I usually prefer to do that.

/boot is acutally ext2, and as far as I can tell it is found by os-prober, but for some reason I cannot read from the log it is not being added to the menu:

Feb 11 18:33:31 linux-zev5 50mounted-tests[2939]: debug: mounted using
GRUB ext2 filesystem driver
Feb 11 18:33:31 linux-zev5 50mounted-tests[2940]: debug: running
subtest /usr/lib/os-probes/mounted/05efi
**Feb 11 18:33:31 linux-zev5 05efi[2942]: debug: /dev/nvme0n1p8 is ext2
partition: exiting**
Feb 11 18:33:31 linux-zev5 50mounted-tests[2943]: debug: running
subtest /usr/lib/os-probes/mounted/10freedos
Feb 11 18:33:31 linux-zev5 10freedos[2945]: debug: /dev/nvme0n1p8 is
not a FAT partition: exiting
Feb 11 18:33:31 linux-zev5 50mounted-tests[2946]: debug: running
subtest /usr/lib/os-probes/mounted/10qnx
Feb 11 18:33:31 linux-zev5 10qnx[2948]: debug: /dev/nvme0n1p8 is not a
QNX4 partition: exiting
Feb 11 18:33:31 linux-zev5 50mounted-tests[2949]: debug: running
subtest /usr/lib/os-probes/mounted/20macosx
Feb 11 18:33:31 linux-zev5 macosx-prober[2951]: debug: /dev/nvme0n1p8
is not an HFS+ partition: exiting
Feb 11 18:33:31 linux-zev5 50mounted-tests[2952]: debug: running
subtest /usr/lib/os-probes/mounted/20microsoft
Feb 11 18:33:31 linux-zev5 20microsoft[2954]: debug: Skipping legacy
bootloaders on UEFI system
Feb 11 18:33:31 linux-zev5 50mounted-tests[2955]: debug: running
subtest /usr/lib/os-probes/mounted/30utility
Feb 11 18:33:31 linux-zev5 30utility[2957]: debug: /dev/nvme0n1p8 is
not a FAT partition: exiting
Feb 11 18:33:31 linux-zev5 50mounted-tests[2958]: debug: running
subtest /usr/lib/os-probes/mounted/40lsb
Feb 11 18:33:31 linux-zev5 50mounted-tests[2960]: debug: running
subtest /usr/lib/os-probes/mounted/70hurd
Feb 11 18:33:31 linux-zev5 50mounted-tests[2962]: debug: running
subtest /usr/lib/os-probes/mounted/80minix
Feb 11 18:33:31 linux-zev5 50mounted-tests[2964]: debug: running
subtest /usr/lib/os-probes/mounted/83haiku
Feb 11 18:33:31 linux-zev5 83haiku[2966]: debug: /dev/nvme0n1p8 is not
a BeFS partition: exiting
Feb 11 18:33:31 linux-zev5 50mounted-tests[2967]: debug: running
subtest /usr/lib/os-probes/mounted/90linux-distro
Feb 11 18:33:31 linux-zev5 50mounted-tests[2970]: debug: running
subtest /usr/lib/os-probes/mounted/90solaris
Feb 11 18:33:31 linux-zev5 50mounted-tests[2972]: debug: running
subtest /usr/lib/os-probes/mounted/efi
Feb 11 18:33:31 linux-zev5 os-prober[2983]: debug: running
/usr/lib/os-probes/50mounted-tests on /dev/nvme0n1p9
Feb 11 18:33:31 linux-zev5 50mounted-tests[2989]: debug:
/dev/nvme0n1p9 is a LUKS partition; skipping
Feb 11 18:33:31 linux-zev5 os-prober[2990]: debug: os detected by
/usr/lib/os-probes/50mounted-tests



Perhaps arvidjaar can help see what’s wrong.

os-prober cannot probe encrypted filesystem unless it is already mounted.