I’m a new OpenSuse user, and a Linux user since ~15 years. I tried all the major distro out there (except Gentoo) and OpenSuse is already in my top 3 choice together with Debian and Arch
Anyway, I installed OpenSuse in an encrypted partition. Since the installer warned me about having the bootloader installed in an encrypted partition, I created a separate boot partition for /boot.
Now, the grub option for booting old snapshots is not available in the boot menu. From what I understood in a reddit thread, it’s due to the fact that it’s not possible to boot snapshots from a different partition. To me this sounds nonsense, because grub could decrypt the root partition and load the snapshots… is it true? If not, how can I enable the option?
Otherwise, is the only option I have moving /boot to the root partition (maybe a subvolume?) and creating a key file for decrypting it via systemd?
Correct. SUSE does not support booting from snapshot with separate /boot. This topic has been beaten to death on this forum.
It is not the best way to start in a new community.
/boot must be part of root subvolume (subvolume, mounted as /) for booting from snapshot to work. At least, this is the current status.
grub asks for passphrase and unlocks root filesystem and passes the key to initrd. Current Tumbleweed also integrates fde-tools to allow storing the key in TPM and unattended boot.
Sorry, I didn’t know it was a dividing topic. I just meant that the explanation was nonsense: in theory, it could be done, if I’m understanding things correctly. It’s a design decision then… correct?
Right now, I tried to move the /boot partition to my / directory. Grub starts and asks for a password, but it then shows the GRUB shell. From the GRUB shell, when I run cryptomount -a, it asks for a password and prints an error saying it could not decrypt the partition. I’m 100% sure the password is correct…
My /boot/efi/EFI/opensuse/grub.cfg
set btrfs_relative_path="yes"
cryptomount -u 200f3a26939f428299a7c9fc438c9a41
search --fs-uuid --set=root 5e28f7ff-debb-4969-9db1-22174257088a
set prefix=(${root})/boot/grub2
source "${prefix}/grub.cfg"
And my partitions:
root@rubinetto /h/federico (master)# lsblk -o NAME,TYPE,MOUNTPOINTS,PARTUUID
NAME TYPE MOUNTPOINTS PARTUUID
zram0 disk [SWAP]
nvme0n1 disk
├─nvme0n1p1 part /boot/efi a203195b-b4c3-43dc-a042-d0b5e06aed7d
├─nvme0n1p2 part 9ba79f96-5af2-4a52-847f-cf68c4460303
├─nvme0n1p3 part 3a7ca196-9b9d-4a24-af59-4957d98a0fba
├─nvme0n1p4 part 8efe39f3-6092-4d12-a123-085441166676
├─nvme0n1p5 part 594dca80-dbed-4f3a-842e-c411ccbb93ce
├─nvme0n1p6 part c25129bb-f127-4ceb-b809-7fae0f606669
└─nvme0n1p7 part 3f69a097-f69c-4956-b15a-a2c5982b7a04
└─cr-auto-1 crypt /var
/opt
/home
/
Apparently, GRUB in EFI is not using the proper UUID. However, I have already run update-bootloaders --reinit and grub2-install…
Sorry, I used PARTUUID instead of UUID for lsblk. Now the grub.cfg file makes sense…
root@rubinetto /b/e/EFI# lsblk -o NAME,TYPE,MOUNTPOINTS,UUID
NAME TYPE MOUNTPOINTS UUID
zram0 disk [SWAP]
nvme0n1 disk
├─nvme0n1p1 part /boot/efi F1D2-D17F
├─nvme0n1p2 part
├─nvme0n1p3 part C2928878928872A9
├─nvme0n1p4 part 42EA8917EA89087D
├─nvme0n1p5 part 00628B1F628B1894
├─nvme0n1p6 part 1f9bc307-eeda-4100-a82f-4b58d147650b
└─nvme0n1p7 part 200f3a26-939f-4282-99a7-c9fc438c9a41
└─cr-auto-1 crypt /var 5e28f7ff-debb-4969-9db1-22174257088a
/opt
/home
/
Basic problem with snapshots. ANY encrypted or not separate boot partition can not see the snaps until / is mounted thus no way for grub to know what snaps there are until the kernel runs and / is mounted…
SUSE installer (or, more precisely, YaST2 Partitioner module) does not offer LUKS2 by default exactly for this reason. You can force it for partitioner, but you cannot do it in installer.
