Encrypted Root Filesystem with openSUSE 11.3, 64bit broken ?

this is a copy of: http://forums.opensuse.org/english/get-help-here/pre-release-beta/436229-opensuse-11-3-encrypted-root-file-system.html
I figured it would be better seen and appropriate to post this in the Install/Boot/Login subforum since it applies to the final product

I stumbled over the same problem

I originally had intended to migrate to openSUSE from my Gentoo system - but how am I supposed to do that if the most elemental things don’t even work ? :frowning:

The error message, btw, is:

Error
You have assigned an encrypted filesystem to a partition with one of the following mount points: “/”, “/usr”, “/boot”, “/var”. This is not possible. Change the mount point or use a nonloopbacked file system.

partition so far was:

/boot (250 MB)
/ ext4 w. [Encrypt device] checked (7 GB)

I was intending to add a encrypted swap partition with 1 GB but I think I’ll postpone that for later

the test-installation or the approach of it took place in a virtualbox environment (3.2.6), 64bit openSUSE 11.3

edit:

seems like I need to use the following “trick”: http://lizards.opensuse.org/2009/03/18/encrypted-root-file-system-on-lvm/

it seems the “LVM Based” approach and checking [Encrypt Volume Group] works

mea culpa :wink:

thanks for getting this working !

the installer, however, should advice the user to use LVMs to use an encrypted system with encrypted root partition and swap :stuck_out_tongue:

On 08/03/2010 10:36 AM, kernelOfTruth wrote:
>
> it seems the “LVM Based” approach and checking [Encrypt Volume Group]
> works
>
> mea culpa :wink:
>
> thanks for getting this working !
>
> the installer, however, should advice the user to use LVMs to use an
> encrypted system with encrypted root partition and swap :stuck_out_tongue:

Your suggestion sounds like a good one. Please go to openFate
(http://en.opensuse.org/openSUSE:Openfate) and enter it there.

done:

https://features.opensuse.org/310279

On 2010-08-03 17:36, kernelOfTruth wrote:

> the installer, however, should advice the user to use LVMs to use an
> encrypted system with encrypted root partition and swap :stuck_out_tongue:

I believe it is possible without LVM, yast does it from scratch. I have never used it, so I don’t
knwo how it is done.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

Hi Carlos,

thanks for that information,

I just tried to install openSUSE 11.3 in practice but couldn’t get it to create a partition scheme with an encrypted / (root)

neither without LVM nor with it

this really needs some more documentation and support

encryption still is kind of a stepchild for *buntu, openSUSE and several other distributions - what a pity !

On 2010-08-04 02:06, kernelOfTruth wrote:
>
> Hi Carlos,
>
> thanks for that information,
>
> I just tried to install openSUSE 11.3 in practice but couldn’t get it
> to create a partition scheme with an encrypted / (root)
>
> neither without LVM nor with it
>
> this really needs some more documentation and support

I had a few links, but not in this computer. The computer that has them is off-service right now.
I’m sure there was something in our wiki, but that’s in turmoil at the moment. Long moment.

I thought this worked out of the box, perhaps it is broken in 11.3. Have you tried in 11.2? I heard
that people had just “done it”. But as I say, I have never used it, what I use is encripted data
partitions, not the system one.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

On 2010-08-04 03:08, Carlos E. R. wrote:
> On 2010-08-04 02:06, kernelOfTruth wrote:

>> this really needs some more documentation and support
>
> I had a few links, but not in this computer. The computer that has them is off-service right now.
> I’m sure there was something in our wiki, but that’s in turmoil at the moment. Long moment.

Here!

I found using google, our site search is almost useless.

<http://www.google.es/search?as_q=&hl=es&num=100&btnG=Buscar+con+Google&as_epq=encrypted+root&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=opensuse.org&as_rights=&safe=images>

<http://old-en.opensuse.org/Encrypted_Root_File_System>

and:

https://features.opensuse.org/305633
#305633: Support installation with encrypted root file system
openSUSE-11.2: Done

Reported as “done”, so it should work. Could you read it and report back? :slight_smile:
(I’m off to bed)


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

thanks again Carlos ! :slight_smile:

now that’s a bunch of unintuitive steps :wink:

I already had read those sites you posted yesterday but unfortunately didn’t “get it” that time (it was already late)

so here are the steps to do it manually [including description] since most of the time there will already be several existing partitions on the harddrive:

so to break it down:

The feature is near to be done. There were described a lot of scenarious and after diskusion with Arvin the implementation works by following steps:
create separate /boot partition (it is not encrypted)
create encrypted partition for LVM
create LVM based on encrypted partition
create logical volumes on LVM (they are not encrypted)

(#31 in https://features.opensuse.org/305633)

we’re starting at the step “Disk” of the Installation

*1) (possibility 1) if you have a completely empty harddrive and would like to go the convenient way just choose “LVM based” and check Encrypt Volume Group

afterwards click Next]

that should be enough !

e.g. for a 10 GB (virtual)harddrive the partitioning would be:

pic1

nice ! it includes /home, / (root) and a swap partition

*2) (possibility 2, based on 1)

most of the time the default partitioning isn’t good enough for your needs, either one of the partitions is too big - another one too small or there simply is one missing (e.g. /usr)

so click on Edit Partition Setup]

leave the section “Hard Disks” alone and directly go to Volume Management

the first confusing thing is that it doesn’t say that any of the partitions are encrypted (pic2) but that’s OK since the encryption was taken care of one layer up at the “Hard Disks” section (pic3) there you’ll see that there’s a padlock symbol in the “Enc” column

(total view pic4)

now to edit the LVM at the “Volume Management” section, which is called “system” you can right-click on those pre-created partitions and delete, resize or Edit

if you’re ready click on Accept to continue

*3) (possibility 3 - manual partitioning with encryption)

choose (*) “LVM based” and check [x] Encrypt Volume Group

then click on “Create Partition Setup

afterwards choose (*) “Custom Partitioning (for experts)” (how flattering ;))

go to “Hard Disks” and add a /boot partition

Add Partition” -> Primary Partition -> edit “Size” to 100.00 MB (or more if needed) -> “Next” -> choose the partition type to your likening at “File System” (ext2, ext3, ext4, Reiser) should be safe choices

make sure you NOT have ] ticked Encrypted device ! - you can’t boot from an encrypted /boot

at “Mount Partition” change the “Mount Point” to /boot

then click on “Finish

those speed-concerned folks can select “No access time” at “Fstab Options

now on to the crucial part !

go to “Hard Disks” and add an encrypted LVM “partition”

now this is the second confusing thing:

Add Partition" -> Primary Partition -> you can choose your Custom Size or set it to “Maximum Size” -> tick (*) “Do not format the partition” and choose “0x8E Linux LVM

(that’s somewhat counter-intuitive - isn’t it ?)

Make sure you tick [x] “Encrypt device” !!

leave it at (*) “Do not mount partition”

pic5

click on “Finish

after that it’ll prompt for a password -

pic6

make sure you’ll remember it afterwards otherwise your system and data will unrecoverably be gone forever ! :idea:

another time click on “Finish

from there go to Volume Management

click on “Add” and select “Volume Group

give it a name under “Volume Group Name”, e.g. system

you can leave “Physical Extent Size” at the default (4 MB)

under “Available Physical Volumes” (on the left side) click on the device (here /dev/sda2) which should have an padlock symbol under the columne “Enc”, Type “Linux LVM”

click on “Add

it now should be in the section “Selected Physical Volumes” (on the right side)

click on “Finish

from there proceed with your partitioning as you like by

clicking on

Add -> Logical Volume

when you’re finished (e.g. like this partitioning scheme, pic8)

click on “Accept

now you’re back at the screen with the title “Suggest Partitioning” (step “Disk” on the left)

don’t get confused or frustrated !

it has kept your (“user defined”) partitioning scheme: pic9

you can check in the summary whether everything went correct

afterwards click on “Next

proceeding to the installation part called “User Settings”

now proceed as usual :slight_smile:

and of course -

Have a nice day && a lot of fun!

notice: picture illustrating the steps will follow soon after I’ve uploaded them !

I don’t care if you should doublepost or not - if the forum doesn’t take that large posts - that’s the only way to post this How-To !