Many thanks to all, and especially arvidjaar, his post was decisive! (i hope translator is not too disfigured this).
small step by step guide:
Standart installation of OpenSuse 42.1, during the installation process tick “Create LVM-based Proposal” and "Encrypt Volume Group"http://i.piccy.info/i9/24b8e65fe49aed993c11cc126ad38018/1482927589/4850/1103912/IMG_4217_240.jpg](http://piccy.info/view3/10686220/3bbf0ddb0dce70d52a42aab18a3c3b72/)http://i.piccy.info/a3/2016-12-28-12-19/i9-10686220/240x180-r/i.gif](http://i.piccy.info/a3c/2016-12-28-12-19/i9-10686220/240x180-r)
Keyfile creation:
dd if=/dev/random of=/dev/mmcblk0 bs=1 count=256
mmcblk0 is my external SD-card, how to use separate keyfile i did not understand
Adding keyfile to the encrypted volume:
cryptsetup luksAddKey /dev/sda3 --key-file /dev/mmcblk0 --keyfile-size 256
edit /boot/gub2/grub.cfg
adding to the kernel commandline these options:
luks.uuid=502cca08-a4ff-4592-a5cc-ec4ef6650200 # this is UUID of /dev/sda3 not LVM partition!
luks.key=/dev/mmcblk0
luks.options=keyfile-size=256
lsblk
blkid
will help you to figure out, who is who.
Now i must remove old keyphrase
cryptsetup luksOpen -v /dev/sda3 anyname
after entering passphrase you will see:
Keyslot X unlocked
Where X is likely to be 0, but it is always better to check, right?
also you can check active keyslots with:
crypsetup luksDump /dev/sda3
Deleting unneeded slot:
cryptsetup luksKillSlot /dev/sda3 0 --key-file /dev/mmcblk0 --keyfile-size 256
Now there is only one way to unencrypt you container, it’s yours keyfile.
Sorry, i did not understand, how to use keyfile-offset, it will be great, if someone explain it.
I hope my terrible English is not too messed up. Cheers!