Default file system layout

Hi all!

I am setting up a new laptop with Leap 16.0, and my plan was to

• wipe everything from the machine
• install a fresh openSUSE
• stay as close to the defaults of Agama/Leap as reasonably possible
• but have an encrypted /home directory

My expectation somehow was that the openSUSE default was a home partition in XFS and a separate root partition in bftrs, I am pretty sure that was the default in Leap 15 and before. However, it seems now Agama only proposes one large btrfs partition plus a 2 GB swap partition. Is that correct?
(I generally like the idea of being able to increase the size I have for /usr, /lib, … without the trouble of XFS being unable to size down. I am a bit worried that some minor misconfiguration could mean Snapper snapshots my pretty large /home though.)
During installation, I clicked on “Encrypt” and filled in what was needed. This gave me full disk encryption, which is ok. Encrypting home would have been sufficient for me, I think, but I wanted to stick with defaults. However, this has also encrypted my /swap partition now, and on boot, I have to enter the password twice. Is that considered the correct behavior?
I find this pretty annoying. Maybe I did something wrong?

@pbiel Hi, an easier solution is to use zram via installing zram-generator package and enabling the service. Then if you check via fwupdmgr security will show encrypted swap and no need for the swap partition. Since it’s RAM, gone on shutdown…

Create a /etc/systemd/zram-generator.conf file containing;

[zram0]
zram-size = ram * .25
compression-algorithm = zstd
swap-priority = 100
fs-type = swap

I use 25% of RAM here, adjust as required…

Install zram-generator and enable/start service;

systemctl enable --now systemd-zram-setup@zram0.service

free -h
               total        used        free      shared  buff/cache   available
Mem:            15Gi       1.6Gi        12Gi       9.3Mi       1.4Gi        13Gi
Swap:          3.8Gi          0B       3.8Gi

....
Runtime Suffix -!
....
✔ Linux swap:                    Encrypted

Then comment out the swap entry in /etc/fstab reboot or swapoff/swapon.

Thanks! I’ve considered not using a swap partition, but this pretty much goes against my goal to stick closely to the Agama/Leap defaults. If the Leap 16 default is to have a dedicated swap partition, I’d prefer to use that.

Well the default on Leap is no encryption… For the likes of Aeon with FDE, it uses zram for this very reason… Not sure about Kalpa?

Do you actually need swap, how much system RAM?

@nrickert may be able to help here…

I have 48 GB of RAM on the machine, I don’t think 2 GB of swap will be of much use to be honest.

… stay as close to the defaults of Agama/Leap as reasonably possible

@pbiel I have a small one for a possible oom, so even if you just comment out in the fstab file…

Hi, this is the default as installed by the Leap 16.0 Agama installer.

afbeelding1629×383 238 KB

afbeelding1629×383 72.8 KB

Hi! Thanks for this input.
My issue was that if I check the “Encrypt the system” button right there, my “/”, including “/home” is encrypted, but apparently also “/swap”. Maybe I can just forego /swap altogether.
If not, I think that I would not need it be encrypted? At the very least, I would like to prevent being asked for my LUKS password twice on system startup, both for /swap and /, which is what happens right now.

I seem to recall that 15.6 was already using one big “btrfs” partition by default. But you could set up a separate “/home” if you wanted that.

Personally, I have done online upgrades to Leap 16.0, because I don’t like the Agama choices.

For encryption, you could have gone with an encrypted LVM. In that case there would only be one request for passphrase. In any case, you can avoid the second prompt by putting a passphrase in a file (readable only by root) on the root partition and edit “/etc/crypttab” to point to that file.

Ok, now, I go with one btrfs partition including /home, that’s great if it works. Plus a swap partition as proposed by Agama, all Full Disk Encrypted.

I think providing the password for swap looks like the least weird solution to me. Now, what I did:

• (as root) create file /etc/swappwd
• write my disk encrpytion password into it (like echo 'p4ssw0rd' > /etc/swappwd)
• changed permissions with chmod 400 /etc/swappwd
• then, I used blkid to identify the mount point, which seems to be /dev/mapper/cr_swap

My /etc/crypttab as created from Agama was pretty(!) simple

cr_swap  UUID=…
cr_root  UUID=…  none  x-initrd.attach

nothing more. I tried adding my password file as described in the man page:

The third field specifies an absolute path to a file with the encryption key.

I didn’t know what to do with the second field to be honest (and I am puzzled about whether they are counted from zero or one). At least, this did not work:

cr_swap  UUID=…  /etc/swappwd
cr_root  UUID=…  none  x-initrd.attach

On boot, I am asked to provide a password for hd0.gpt (is that the root partition?), and then for cr_swap.

I would change that first line to:

cr_swap  UUID=…  /etc/swappwd  none

But perhaps you need to put crypttab into the “initrd”.

Check the section " Avoiding to type the passphrase twice" in SDB:Encrypted root file system. Steps 5 and 6 explain what to do with the “initrd”. However, where it mentions “/.root.key” you should change that to “/etc/swappwd” to fit your setup.

Hm, unfortunately, also with the none option, the solution does not work. I could try using LVM just for the encryption, but this seems like a pretty huge solution for a small problem.
Am I overlooking something? I feel like having /home encrypted but not having to enter the password more than once is a requirement 90%+ of desktop users have, and I am surprised this seems so difficult. Is there a simpler solution? After all, my key motivation here was to not have a weird frankenstein system, but stay as close as reasonably possible with the Leap 16 defaults.

It should work. I’m successfully using that in a VM and in a system installed in a USB external drive.

Maybe recheck all of the steps.

Hm. I am really not sure what’s wrong here.

I’ve now re-done it all, and taken pictures (sorry, but this is a real physical device, no idea how to make a proper documentation, plus, I used German for the language, because I prefer that in the final setup and switching mid-term has never worked 100% – also, Agama does not like the user to alter the localization during setup, as I had to learn the hard way). Am I doing something wrong?

inital setup

IMG_20260116_2236241920×1440 168 KB

IMG_20260116_2237481920×1440 132 KB

switching on encryption

IMG_20260116_2238471920×1440 147 KB

IMG_20260116_2244301920×1440 106 KB

IMG_20260116_2246171920×1440 167 KB

Full Disk Encryption is on, and all else is on defaults.

more installation

IMG_20260116_2247211920×1440 168 KB

IMG_20260116_2248531920×1440 148 KB

IMG_20260116_2256301920×1440 138 KB

reboot

After the inital reboot, I am asked for the password twice.

IMG_20260116_2257591920×1440 146 KB

IMG_20260116_2258531920×1440 230 KB

IMG_20260116_2259031920×1440 306 KB

setting up password file

I create /etc/swappwd, and write the actual password into it. (Not the one in the picture, but the structure of the file is as shown.)

IMG_20260116_2304081920×1440 295 KB

IMG_20260116_2304301920×1440 202 KB

IMG_20260116_2305241920×1440 211 KB

amending crypttab

Initially, that’s how it looks like:

IMG_20260116_2305371920×1440 310 KB

I change it to this:

IMG_20260116_2306121920×1440 236 KB

reboot

IMG_20260116_2306481920×1440 255 KB

It still does not work.

Just to show my issue, I’ve filmed (sorry, had no better idea, really) the process of booting the device now.
I’ve made it available on
https://app-share.mailbox.org/appsuite/api/share/0566863006c44e635ee66466c44e42be9c180def15ec162d/1/8/NDA4/NDA4LzY4NjU

until I find a better solution.

My ability to read German is rather weak, so I may have missed something.

The first request for password that you are seeing, is coming from “grub” (or whatever boot software you are using). The second request is coming from the kernel.

Your problem, I suspect, is that the content of “/etc/swappwd” is wrong.

When you enter the password at the terminal, you end with the “Enter” key. And the output of that “Enter” key goes into the string that you typed. It is normally the single character NL, or hexadecimal 0A.

When you provide the password that way, the NL character is stripped off before passing to the encryption software. However, when you use a file for the password, the entire content of the file is used, including that NL character.

You could try:

cd /etc
cp swappwd swappwd.old
dd if=swappwd.old of=swappwd bs=NN count=1

but replace that “NN” with the length of the password string, which should be 1 less than the file length (as shown by “ls -l”). That should remove the final NL character.

Based on the timing of the “Cryptography Setup” lines, it is likely that the second password request is coming from the “initrd”. So you need to make sure that “/etc/swappwd” in included in the “initrd”. And you need to rebuild that “initrd”.

Hi @nrickert, thanks for your support. I think I fixed it now.

In fact, ls -l reported a size of “N”, but my password is “N-1” characters long, so vim probably added some form of line-ending character to it. dd worked well; I assume if I had written the file with sudo sh -c "echo 'MyPassw0rd' > /etc/swappwd in the first place, this could have worked.

I then tried to set up initrd, which I forgot in yesterday’s attempt.

Bildschirmfoto vom 2026-01-17 12-46-481708×1300 141 KB

Step 3. of the explanation in the wiki didn’t work as expected (it says “device … does not exist or access denied”), but the other steps went through.

Now, I rebooted once, and was only asked for the password for cr_root, which is expected.

Thank you for your patience!

Just for my future self and for whoever comes across the issue of having to enter a password twice, for cr_rootand cr_swap after enabling full disk encryption in the Agama default installation routine, here’s a summary.
Note: This is only tested by me. It might not be as safe as it should. It might not work properly or disregard some basic best practises.

1. Carefully read https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice
2. Setup Full Disk Encryption during installation, which will give you two partitions, / (btrfs, including /home) and /swap.
3. After installation, log in as root user.
4. Create a file; the Wiki proposes something like /.root.key, I personally now went with /etc/.swap.key in the end.
5. Write the password into it; make sure no newline character is put at the end.
   If you cat it, there should be the normal output of the terminal (device:path # or similar) in the same line as the content of the file.
6. Make sure the file is read-only by root. The wiki tells you to run chmod 600 /etc/.swap.key. I believe 400 should be enough, but I now went with what the wiki said.
7. The wiki tells you to now run cryptsetup luksAddKey, but that did not work for me.
8. Use blkid to identify the mount point of your swap partition.
9. Edit /etc/crypttab. It should contain one line for cr_root that you should not alter, and one with cr_swap <the mount point from blkid> UUID=… <void>.
   Add to it: As the third cloumn (counted from one), add the path to the file. Then, also add none for the additional parameters (not sure this is necessary).
   The line now should look like cr_swap UUID=… /etc/.swap.key none.
10. Configure dracut with something like echo -e 'install_items+=" /etc/.swap.key "' | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null see remarks in wiki.
11. As the wiki says, rebuild initrd with dracut -f.
12. Read https://en.opensuse.org/SDB:Encrypted_root_file_system#Additional_steps_when_using_hibernation_with_encrypted_swap_partition as well, and run the 'add_dracutmodules+=" resume "' command.

This seems to have worked for me.

As explained by @nrickert . But I think you should not blame vim. You most probably typed the Return key at the end of the line, thus a NewLine character was added to the file.