Encrypted installation with optane cache and TPM

Hello all! I’m looking to install OpenSUSE Tumbleweed on my laptop but I’m hoping that I could receive some input beforehand as I am still only an intermediate Linux user and I haven’t found a single comprehensive guide on what I’m trying to do. Hopefully, this thread will help to consolidate my research and address any flaws in my plan.

Some backstory:

I own an HP Spectre convertible laptop. Notable for this post, it comes equipped with a 32gb intel optane drive for use in windows as a caching device and a trusted platform module (tpm).

For some reason, it’s Windows support was atrocious- it always ran hot, it was plagued by sleep issues, and it only lasted 2 weeks before coming to an irreparable bluescreen that I could not recover Windows from (the system restore points that I had set up also conveniently didn’t work). Seeing as it was a warranty replacement for a previous spectre with a broken mic that had also ran into an unfixable bluescreen that resulted in me having to reinstall windows, I decided enough was enough and decided to install Manjaro’s KDE spin. At this point, my Linux knowledge was fairly limited, so I forewent disk encryption in the install, disabled secure boot (as it seems Manjaro does not support this), and left the optane drive unused as I was not sure how to make use of it.

Since then, I’ve become more experienced with Linux, using it as my daily driver both on the spectre as well as a separate, older “workstation” laptop that I have wired up as if it were a desktop. While it still works, the spectre has become a bit unstable in starting up and shutting down, to the point where I was considering a reinstall. I wasn’t sure if I wanted to install Manjaro again, so I did some research and found OpenSUSE Tumbleweed to be highly compelling.

Meat of the question:

I want to actually make use of the hardware and security features of my laptop, especially as COVID restrictions begin to lessen and I start to travel with it more.

Based on this wiki page, it seems encrypting an OpenSUSE install is very straightforward. Typing the key at every boot seems like it would be a hassle though, especially compared to the functionality of Bitlocker on windows where it automatically would decrypt on normal boots without needing a password to be inputted. Luckily, this reddit comment discussing trusted boot seems as if OpenSUSE does have this functionality available through use of a TPM and is easily accessible at install.

Then, the final piece of the puzzle is to make use of the 32g Optane drive as a caching solution as I can’t figure out what else to do with it. I’ve found this article discussing how to do this in Ubuntu. Looking at it, nothing seems to be too Ubuntu-specific (aside from the apt commands of course) so I’m wondering if I can use it as a guide for OpenSUSE as well.

So, what are your thoughts? If I follow the encryption guide on the wiki, check the secure boot and trusted boot checkbox in the installer, and follow the guide of the article for the optane drive, should I be good? Will I need to somehow also add the optane drive to the TPM so it is unlocked at boot as well?

Is there anything that I am overlooking or other items that I should take into consideration before following through with this? Thank you so much for your help!

Hmmm Letting anyone into the system that happens to posses the laptop at a given time does not sound very secure!!! Note also that a running system is unlocked so any managing to connect will see all data, So encryption protects against Physical attacks (if you don’t give all the keys) but not against remote attacks.

Thank you for your response!

I may not have been clear enough about the passwords on the device. The OS itself will still be password protected as I will not be using the autologin feature with SDDM. Mainly, I’m trying to avoid the step of also typing in the encryption key during boot at GRUB before entering my user account password.

My impression was that the purpose of disk encryption was to prevent unwanted data extraction from the physical device, whether through something like a live USB or the extraction of the hard drive. By storing the keys in the TPM, I hope to make use of this while still having the convenience of logging into the laptop as normal. Therefore, if someone tried to get data out of the drive from a live USB, it wouldn’t automatically decrypt and the key would need to be entered, allowing me to still do data recovery if I needed to while still preventing unwanted access. If someone were to boot the device normally, they would still have to find a way to get into my user account.

Thank you for the point about network security, I’ll definitely have to look into getting that properly set up as well.

The biggest risk with a laptop, is that somebody steals the entire laptop. And, if they do that, they also have the TPM.

For a desktop machine, the main issue is that the hard drive eventually fails. And when you dispose of the old hard drive, the TPM does not accompany it. So you have protected the data. But, with a laptop, that isn’t the risk of greatest concern.

Typing the key at every boot seems like it would be a hassle though

The OS itself will still be password protected as I will not be using the autologin feature with SDDM.

Why not switch things, type a password at boot but have no password for the login?
That seems to me like the same effort but much safer.

The biggest risk with a laptop, is that somebody steals the entire laptop. And, if they do that, they also have the TPM.

I see.

Why not switch things, type a password at boot but have no password for the login?

That’s a good idea! I didn’t think of that before.

Thank you both for your input! It seems like I’ll have to do a bit more thinking about how I’m going to go about this security-wise.
[HR][/HR]Did anyone get a chance to look at the optane article that I linked earlier? Do you think the steps listed there would also apply to openSUSE? I doubt the volume group will be named ubuntu-vg but outside of that I can’t tell if anything else wouldn’t directly apply.

Thanks again for all your help!

I had a look at the optane article and it make me remember a new laptop I bought, tried installing Tumbleweed on it but found the SSD was not supported and that had to do with Linux not supporting RST/Optane as far as I remember. I remember digging in and found the Linux kernel maintainers did not like what Intel has made and things were not merged to the kernel. Not sure but it almost seems like that is still the case as the article writes:

Its easy for Windows users - there is the preinstalled Intel RST-Driver, which setups the Optane memory as cache for the SSD. But in Linux? No driver support from Intel for that.

First thing you should check if you can disable Optane/RST in the BIOS (this will impact Windows if you also run that):

So the first step is to disable the BIOS option “Advanced / System options / Configure Storage Controller for Intel Optane”. Have a look in the option ROM of the controller too, to make sure there is no combined device anymore.

If so, I think the article gives a good write up on what is needed and I think it will work also for OpenSUSE. I think it is best to familiarize you with the tools/script before doing a conversion.

I’m not sure if I had to do it for my Manjaro installation, but I do remember splitting the storage devices in the bios and disabling optane-related stuff previously. I don’t plan on ever running Windows again so that shouldn’t be an issue either. I’ll definitely look into LVM and thin-provisioning a bit more, though, as I’ve never made use of that technology before. Thanks for your insight, I really appreciate it!

Optane is good for speeding up HDD, but not SSD. To speed up SSD use fast NVME drive.
You may use Optane as a simple NVME drive: put on it swap, or /, or part of a /, or /home, or even part of a swap + part of a /.