I am setting up a new laptop with Leap 16.0, and my plan was to
wipe everything from the machine
install a fresh openSUSE
stay as close to the defaults of Agama/Leap as reasonably possible
but have an encrypted /home directory
My expectation somehow was that the openSUSE default was a home partition in XFS and a separate root partition in bftrs, I am pretty sure that was the default in Leap 15 and before. However, it seems now Agama only proposes one large btrfs partition plus a 2 GB swap partition. Is that correct?
(I generally like the idea of being able to increase the size I have for /usr, /lib, … without the trouble of XFS being unable to size down. I am a bit worried that some minor misconfiguration could mean Snapper snapshots my pretty large /home though.)
During installation, I clicked on “Encrypt” and filled in what was needed. This gave me full disk encryption, which is ok. Encrypting home would have been sufficient for me, I think, but I wanted to stick with defaults. However, this has also encrypted my /swap partition now, and on boot, I have to enter the password twice. Is that considered the correct behavior?
I find this pretty annoying. Maybe I did something wrong?
@pbiel Hi, an easier solution is to use zram via installing zram-generator package and enabling the service. Then if you check via fwupdmgr security will show encrypted swap and no need for the swap partition. Since it’s RAM, gone on shutdown…
Create a /etc/systemd/zram-generator.conf file containing;
Thanks! I’ve considered not using a swap partition, but this pretty much goes against my goal to stick closely to the Agama/Leap defaults. If the Leap 16 default is to have a dedicated swap partition, I’d prefer to use that.
Hi! Thanks for this input.
My issue was that if I check the “Encrypt the system” button right there, my “/”, including “/home” is encrypted, but apparently also “/swap”. Maybe I can just forego /swap altogether.
If not, I think that I would not need it be encrypted? At the very least, I would like to prevent being asked for my LUKS password twice on system startup, both for /swap and /, which is what happens right now.
I seem to recall that 15.6 was already using one big “btrfs” partition by default. But you could set up a separate “/home” if you wanted that.
Personally, I have done online upgrades to Leap 16.0, because I don’t like the Agama choices.
For encryption, you could have gone with an encrypted LVM. In that case there would only be one request for passphrase. In any case, you can avoid the second prompt by putting a passphrase in a file (readable only by root) on the root partition and edit “/etc/crypttab” to point to that file.
Ok, now, I go with one btrfs partition including /home, that’s great if it works. Plus a swap partition as proposed by Agama, all Full Disk Encrypted.
I think providing the password for swap looks like the least weird solution to me. Now, what I did:
(as root) create file /etc/swappwd
write my disk encrpytion password into it (like echo 'p4ssw0rd' > /etc/swappwd)
changed permissions with chmod 400 /etc/swappwd
then, I used blkid to identify the mount point, which seems to be /dev/mapper/cr_swap
My /etc/crypttab as created from Agama was pretty(!) simple
nothing more. I tried adding my password file as described in the man page:
The third field specifies an absolute path to a file with the encryption key.
I didn’t know what to do with the second field to be honest (and I am puzzled about whether they are counted from zero or one). At least, this did not work:
But perhaps you need to put crypttab into the “initrd”.
Check the section " Avoiding to type the passphrase twice" in SDB:Encrypted root file system. Steps 5 and 6 explain what to do with the “initrd”. However, where it mentions “/.root.key” you should change that to “/etc/swappwd” to fit your setup.
Hm, unfortunately, also with the none option, the solution does not work. I could try using LVM just for the encryption, but this seems like a pretty huge solution for a small problem.
Am I overlooking something? I feel like having /home encrypted but not having to enter the password more than once is a requirement 90%+ of desktop users have, and I am surprised this seems so difficult. Is there a simpler solution? After all, my key motivation here was to not have a weird frankenstein system, but stay as close as reasonably possible with the Leap 16 defaults.
For the likes of Aeon with FDE, it uses zram for this very reason… Not sure about Kalpa?
