Encrypted disk btrfs and grub snapshot


is it possible with newer version of tumbleweed to use encrypted hd and be able to have access to snapshot with grub?


Yes, this has been possible for a while.

When installing, DO NOT use a separate “/boot”. That way your “/boot” is part of the root partition, and encrypted.

You will need to install grub into the MBR on older computers. It will use the EFI partition on newer computers.

While booting, you will need to enter the encryption key twice – the first time is for grub to access boot menus, and the second time is for the kernel to read the file system.

When I set that up, I used an encrypted LVM. However, I have since changed to “ext4” instead of “btrfs” (personal preference). I would still recommend an encrypted LVM with logical volumes for root, home, swap. However, the new partition should allow you to just encrypt root as a separate partition.

EFI partition will be installed to the lvm?

maybe a bug…

during installation

i click : guided setupt

enable logical volume management
enable disk encryption

in filesystem options

settings for the root vlume is btrfs, enable snapshots

propos separate home vlume with xfs

suggested paritioning : no proposal possible

No, the EFI partition has to be a separate unencrypted partition. It is normally shared by all systems. So if you have Windows installed, then the openSUSE install should use the existing EFI partition setup by Windows.

That should have worked, unless you don’t have enough free disk space. Can you post the output from:

fdisk -l

If you don’t have linux installed to run that, then boot from live media. If there is too much output, then just

fdisk -l /dev/sda

would be fine, assuming that “/dev/sda” is the hard drive where you wish to install.

I did a similar install last week, except that I use “ext4” for the file system. And that work fine. This was into a virtual machine, with a 20G virtual hard drive. But 20G is a bit small for using “btrfs”.

i have 1tb ssd…

during install with boot efi partition and lvm… yast create me a 500 meg partition for boot efi… and 65 gig for the rest…

if i delete 65gig and create a new one of .95tb (encrypted) when i go to : add volume group and pass available devices to selected devices… encryption is removed… seem like a bug

It did what you told it to do.

Instead of deleting the 65g partition, you could probably have resized it to the size that you want. And then you could probably resize the volumes inside to what you want.

It is also possible to do it the other way – create a partition yourself for the volume group. But, at present, that’s tricky because you might get an installed system that doesn’t boot (the installer may fail to create “/etc/crypttab” when you do it that way).

If you want full details, ask.

tried to resize… but that say disk in use…

video of the issue

Okay. So you will need to setup the LVM manually.

It looks as if you got part way there.

Since you are starting over, best to go to the expert partitioner at the beginning. Set it to use existing partitions and ignore the proposal.

Since you are doing it manually, you will need to first create the EFI partition. So just create /dev/sda1 at 500M. There should be a choice to use that as an EFI partition.

Next create /dev/sda2 for the size that you want, and set it to be encrypted. There should be an option to not format it (I think it is called “raw space”). But, if you can’t find that, it doesn’t hurt to format it (just wastes some cpu cycles).

Go to volume management. Click “Add” to create a new volume group (I think that’s the only choice). You need to give the volume a name, such as “system” (but you can use a different name). And then you have to put your /dev/sda2 into that volume group.

Next you have to add logical volumes. So click “Add” again, and select “logical volume” (not sure if that’s the wording). Give the logical volume a name (I suggest “root”), and set it to a suitable size. For “btrfs” make that at least 40G, though I would perhaps go with 80G). When it asks, say that this is for operating system. It should set the file system to “btrfs” (though you can change that).

Next, another logical volume. Call it “swap”. I would set the size to twice your memory, though setting to just your memory size may be sufficient. Indicate that this is for swap.

And a third logical volume. Call it “home”, and give it all of the remaining space. Indicate that it is for data, and set to mount at “/home” (that’s probably the default).

Then click “accept” or “finish” or similar to go with that partitioning. And then proceed with the install.

I’m not sure what happens after that. I hope you finish up with a good working system. But it is possible that it won’t boot. That is probably fixable.

I’ll follow this with another reply on the what might go wrong.

I’ll describe what might go wrong.

First, I’ll explain a little. The partitioner section of install is now using the new partitioner. And that is still a work in progress. So some things that used to work in the old partitioner do not yet work for the new partitioner.

I have mostly run into the problem when installing into an already existing encrypted LVM. The installer fails to create “/etc/crypttab”. And that file is needed for the encryption to work.

What I do, for an existing LVM, is create “/etc/crypttab” before I start the install. And I put a copy of that in “/home”. And then, during the install, I use CTRL-ALT-F2 which gives me a root command line. And then

ls /mnt/etc/crypttab  ### check if it exists (in my experience, it doesn't)
cp /mnt/home/crypttab /mnt/etc/crypttab

and the CTRL-ALT-F7 gets me back to the graphic installer. If I do that in time, then I get a bootable system. If I don’t do that in time, then I get an unbootable system. So I have to go to rescue mode to fix it.

My guess is that you won’t have this problem. Since you are setting up crypto during the install, it will probably create the “/etc/crypttab” for you.

So maybe best to stop here for now. And, if you run into this problem, I’ll guide you through the rescue steps.

Did a quick test using 0301 net image on EFI with secure boot. Setting up encryption was really a matter of next-next-next in installer and clicking on appropriate check box. For the fun of it I did not use LVM which worked just fine.

like you saw in the video, when i go in volume management, create a new volume group and put my sda2 there, encryption is lost

When you deleted the original sda2, you lost the encryption for that.

When you then create the new sda2, you can encrypt that. And I thought I saw you doing that in the video. You should have just continued.

Yes, it can be confusing. But if you look closely, it will show a lock icon for sda2.

When you create a volume, say “root”, within that LVM, it will say “unencrypted”. But that’s fine. The entire LVM is already encrypted. You do not need to separately encrypt a volume within the LVM.

Maybe I can explain a little better.

When you encrypt sda2, that creates a virtual device. I think it showed as “/dev/mapper/cr_sda2” on your video. The real device is encrypted. But the virtual device is not encrypted. The process of decrypting is what maps the real device to the virtual device.

So when you then create an LVM, you are really creating the LVM using that virtual device. The partitioner is perhaps a bit opaque about that. The LVM does exist on the virtual device created from the encrypted partition.

Next you create volumes root, swap, home. They show as unencrypted, because you are not adding a layer of encryption to that virtual device. But they are still physically stored on disk as encrypted data.

Thanks. I hadn’t tested that. But it did look as if it would work with the new partitioner.

Watch out, though, if you ever do a reinstall keeping the same encryption. My experience is that the installer does not generate a suitable “/etc/crypttab” in that case. Well that was for a LVM and for a separately encrypted data partition. I expect the same will happen with encrypted root. Bug 1071350 if you are looking for the reference.

At present, I am keeping a copy of “crypttab” on “/home”. During a reinstall, I check “/mnt/etc/crypttab” at about midway through the install. And if it doesn’t exist, I copy the one from “/mnt/home”. As long as I do that copy before the “initrd” is built, I’ll have a bootable system.

i know you lost it… but a created a new one encrypted…

tried to a add volume group and pass available devices to selected devices… encryption is removed…

any way, i created default config (lvm encrypted, btfs and snapshop)… suse created me only 65 gig… i stay with for install…

after that when i boot on the system, i used parted to increase to full size… that worked…

really not easy…

i think you don’t have understood…

in volume management, you need to create a volume group… system… you select the device (/dev/sda2)… click on add… encryption is lost there… after that you add logic volume on it (root, home…)

No, encryption is not lost there. If you look closely, you will see that “/dev/sda2” is still flagged for encryption.

You start with “/dev/sda2”, and encrypt that. The result is virtual disk space, which showed as “/dev/mapper/cr_sda2” on your video.

Next, you create an LVM. And yes, the partitioner is a bit confusing there. You tell it to add “/dev/sda2” to the LVM. But that isn’t what it does. It actually adds the virtual “/dev/mapper/cr_sda2” to the LVM.

The partitioner doesn’t directly mention “/dev/mapper/cr_sda2”. But as long as it still shows “/dev/sda2” as encrypted, all references to “/dev/sda2” are really references to the virtual “/dev/mapper/cr_sda2”.

I’ve done this many times, both with the old partitioner and the new partitioner. And that’s how it works. You can also do it manually at the command line, using “pvcreate” to create the LVM. And, if you do it that way, you do have to specify “/dev/mapper/cr_sda2” as the physical volume on which the LVM is to be built.

If you decide to format existing encrypted non-LVM root during reinstallation, installer recreates encrypted partition from scratch, so this does not apply. I could not come up with use case for reinstalling over existing root without formatting it (this is what re in reinstalling means as far as I can tell).

lvm encrypted

add volume

encryption removed

“/dev/sda2” is not encrypted anymore…

so encryption is not keep,in the sumarry, of the operation to do on the disk… no thing encryption… i decided to continue the installation… to see if magicaly yast will do encryption… and noting about that when i booted…

I will try going through this today or tomorrow, and see what happens.