Few questions about full encrypted system (on modern laptops with SSD disk)

Hi. I’ve read some articles about this topic and it seems to me that getting a fully encrypted system with OpenSUSE is quite easy. Just check ‘Create LVM Based Proposal’ and then ‘Encrypt Volume Group’ during the installation, at least in 11.3. However I wasn’t able to find much about features of this particular encryption, so here are my questions:

  1. Some new processors, like Intel Core i7, provide hardware-accelerated AES encryption. Will this work in OpenSUSE?
  2. Will hibernating and suspending to ram work with fully encrypted system?
  3. I’ve read that there are some issues with encrypting SSD disks, for example with the TRIM feature. Are there some extra ‘tweaks’ in OpenSUSE for better SSD disk support? Generally, how will be the performance and ‘life’ of disk affected by encryption?
  4. I’ve also read that SSD disks require special partition alignment in order to get the best performance. Does OpenSUSE have this in mind when creating the LVM structure? Or do I have to (and can I…) adjust the partitions manually?
  5. Last silly question: how does the prompt for password look like and when does it appear? :slight_smile:

It’d be great to get the most up-to-date info concerning the new up-coming OpenSuse 12.1.

I have a blog post on encryption where I discuss some of the possibilities.

Yes, you are correct that it is pretty easy to do with an encrypted LVM. Technically, it is not quite “fully encrypted” because “/boot” will be unencrypted. You will need a separate “/boot” partition. Mine is 100M, which is adequate, though you might make it a tad bigger if you want to experiment with alternative kernel versions.

Now to you specific questions:

  1. Yes, I believe it will use hardware accelerated encryption. I have not tested that, since I don’t have suitable hardware. However, I do see messages about failing to load the module that is used to connect with the hardware encryption.

  2. Yes, hibernating and suspending to ram do work. I think hibernation does not work with only encrypted “/home” and swap - the check for the presence of a hibernation image is done before the decryption of “/home” and swap. But with encrypted LVM, the decryption is handled by the “initrd” (loaded from “/boot”) at an early stage of bootup, and hibernation checks are done later. I did actually test that, and it worked well.

3 and 4. Sorry, I don’t know much about SSD, so can’t help you there.

  1. The prompt for the password is done soon after the kernel is loaded. It is done in ASCII on the console (looking like a command line interface screen). The actual line requesting the key is in bold, so brighter than other lines on the screen. And if you get it wrong, it will prompt you again.

Incidentally, I currently have 12.1 rc1 installed in an encrypted LVM on my laptop. The presence of encryption is not very noticeable, except for the prompt for a key during startup.

When first setting up an encrypted LVM, you will need to backup anything important to somewhere else (such as an external drive), then restore on the running system.

When updating to a new release of opensuse, select “create partitions” on the partitioning screen, then select expert mode. You can tell it to use the existing LVM, and thus retain whatever is on “/home”.

Hey thanks, especially for the very colorful description of the password prompt :slight_smile:

I don’t think that lack of hw-accelerated encrypting would affect performance witch such powerful processor like i7 but it could affect the battery life and that’s quite important with laptops. Maybe the module won’t load just because the your hw doesn’t support it…

Anyway hopefully someone will know something about the support of SSD disks in OpenSUSE. They’re getting quite popular.

Yes, that’s my assumption. My comment about it not loading was intended as the evidence that the system does indeed attempt to load it.

You may want to read
Using a SSD Hard Drive with openSUSE and the TRIM Command
for info about optimizing for SSD’s

I’ve read the article and several others and I’m kind of confused.

The guy in the thread you posted uses realtime discard which is easy to turn on in fstab. This method has been also recommended in other non-suse docs I came across. However if you look at official OpenSUSE documentation you can read that this method hasn’t been optimized well and actually leads to performance decrease instead of increase. The document recommends using script wiper.sh instead which should be called once a week approximately.

The problem is that non of these two sources says something about encrypting the disk and LVM. So I kept looking and I found this article. The guy here claims that dm-crypt actually doesn’t support passing trim command to the underlying device (however I’m not sure whether the “encryption” in SUSE uses dm-crypt… does it?). He suggests a workaround with some patched wiper.sh but doesn’t provide any further info about how often to use it… And also doesn’t say anything about LVM.

Anyway… the new OpenSUSE with much newer kernel is coming out soon and all this information is quite old… considering the fact that this area of SSD disk is really new and is changing fast. Does anyone know anything about the support of SSD disk in OpenSUSE 12.1?

  1. My understanding is that TRIM does not work out of the box with encrypted containers for security reasons, but it can be manually enabled after boot while opening the container (https://forums.opensuse.org/english/get-technical-help-here/hardware/482089-how-enable-trim-luks-encrypted-ssd-boot.html#post2518305). However, to date, I haven’t been able to find a good way to enable it on boot.

  2. I’ve read somewhere that the partition tool in openSUSE 12.2 takes care of alignment of partitions automagically :slight_smile: Anyway I noticed a good speed increase after switching to SSD and have not needed to align (or “move”) my partitions during or after installation. Although to be fair I haven’t bothered to find out if they are perfectly aligned due to said speed increase.