Disk Encryption During Install Time Issues

  1. During TW installation, if there’s an encrypted volume present on the HDD, the install will ask to unlock it. Unlocking it makes automatic partitioning fail later on. If the volume isn’t unlocked, I can use the Entire Disk install method (with the following issue)

  2. If I use automatic partitioning and try to use encryption, the wizard will want to add both a /boot/efi and /boot partition (the latter being an unknown Linux Native partition). Both partitions are the same size. Continuing with install will result in a -3005 error during the partitioning phase. Using automatic partitioning followed by using Expert Partitioning and then removing the /boot partition will allow installation to succeed and work afterwards.

  3. After install, I’m asked for my drive passphrase twice (once by GRUB, and again during boot). I don’t think I’ve ever seen GRUB ask for a passphrase before (Ubuntu and Fedora both only ask once during boot).

I’m using the latest TW installation media (April 05) and installing via UEFI. I’m using XFS on my root partition and no separate Home partition, along with LVM + Encryption.

I must be doing things differently.

I do use an encrypted LVM. I first did that with opensuse 11.4 (if my memory is correct), and allowed the installer to make most of the decisions. That was on an older computer with limited disk space, so there wasn’t much flexibility possible.

I later tried on a newer computer (also opensuse 11.4), and found it hard to persuade the installer to partition the way that I want it.

What I have settled on to solve that problem, and what I always use now, is:

Partition first before install. Setup encryption first before install. Setup LVM first before install…

I normally use “fdisk” from the command line to partition. I then encrypt, either using “cryptsetup” from the command line, or using Yast partitioner (probably booted to a live CD or similar). I then use Yast partitioner to create the LVM, and divide it into volumes.

My experience with Yast partitioner, is that it is best to create the partition with type code 83. If I set the type code to that for an LVM, it confused Yast. The basic method is to create the LVM as a logical entity, then add space to it. And Yast will add space from an encrypted partition, but it is confused it I try to add space from what it thinks is an existing LVM. So leave the partition type code at 83. Open it with “cryptsetup” or Yast partitioner (i.e. assign a virtual “/dev/mapper/name” to access it. Then add that space to the LVM.

For the actual install, I select “create partitioning” in the partitioning section of install. Next, I choose “custom partitioning”. That gives me a list of partitions and logical volumes. I then right click as select “Edit” to tell the partitioner what to do with particular partitions and/or logical volumes. Installs usually go smoothly. My most recent install was with Tumbleweed 20150330 a few days ago – mostly a trial install to test the installer.

As for “/boot” and “/boot/efi”: If you have UEFI hardware and booted the installer in UEFI mode, then it will want “/boot/efi”. With Tumbleweed, it does not insist on a separate “/boot”, though you probably want one.

“/boot/efi” needs to be a FAT formatted partition. If you have a UEFI computer, then it probably came with an existing EFI partition. It is best to use that. DO NOT reformat. Just accept its current format. The install will create its own subdirectory “opensuse” within that EFI partition, and put a small amount of data there.

Here’s what I have there on my opensuse 13.2 desktop:

ls -l /boot/efi/EFI/opensuse
total 3544
-rwxrwxr-x 1 root root      58 Nov  1 07:43 boot.csv
-rwxrwxr-x 1 root root     150 Nov  1 07:43 grub.cfg
-rwxrwxr-x 1 root root  918392 Nov  1 07:43 grub.efi
-rwxrwxr-x 1 root root  119296 Nov  1 07:43 grubx64.efi
-rwxrwxr-x 1 root root 1276328 Nov  1 07:43 MokManager.efi
-rwxrwxr-x 1 root root 1286112 Nov  1 07:43 shim.efi

I normally use a separate partition for “/boot”, which I format as “ext2”. That will contain the kernels, part of the grub boot software, the “initrd” files. Those are outside of the encrypted space. Boot loads a kernel and initrd, and then software from the “initrd” opens the encrypted LVM so that the encrypted space is available to the rest of the system startup.

It is possible to avoid a separate “/boot”, but at present you will need to disable secure-boot for that to work. There’s a fix that has been submitted for this (bug 917427), but the fix has not yet made it into Tumbleweed. If you do not use a separate unencryted “/boot”, then you will be prompted twice for the encryption. The first time will be prompting by “grub2” or “grub2-efi” so that it can access the kernel and “initrd”. The second prompt will come from running linux code in the “initrd” used to make the encrypted LVM accessible for the rest of startup.

I probably gave too much information above (more than you wanted). But feel free to ask for additional details or explanations as needed.

What do you mean?

* Mon Feb 16 2015 arvidjaar@gmail.com
- add luks, gcry_rijndael, gcry_sha1 to signed EFI image to support
  LUKS partition in default setup (boo#917427)

I’m referring to:

I submitted as srid#287615 and should be rolling into tumbleweed update soon.

(the final comment in the bug report.

That change still has not rolled into Tumbleweed.