Hi,

I would like to start by saying that this is by no means a howto.
I made this post just as an explanation of an update and strategy I use on a Hold pc I have that I don’t want to reconfigure completely with a most uptodate setup on OpenSuSE 12.3 (OS).
So I will retain the current partitions on disk.

The scenario is the following one:
Old pc with 3 ext3 partitions encrypted with luks. One of them root / !
The Pc is like this since version 10.3 (I think) OpenSuSE ( latter version 10 then upgraded until to 11.4 … and now from 11.4 to 12.3 always the same method …fresh install.

So the strategy is the following … install All Fresh on he disk Preserving Only the current /home.

• install is done on the only NON-Encrypted partition on disk so that I can reconfigure and rsync the / partition to an encrypted one and boot with a encrypted / and all others on disk Just like the initial install.

I always followed the first method since early 9 version (yes version 9 …history on the making !!) to installs on root encrypted filesystems. Now a deprecated process …

SDB:Encrypted root file system (deprecated) - openSUSE

The setup I have is the following:

This also serves the purpose of documenting a migration I made some Months ago from old 11.4 laptops with encrypted partititions.
Sharing is gaining.

This process is also explained on:

https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/488393-11-1-11-4-12-3-luks-encryption.html
it is a bit of redundancy but this tiem I am a bit more clear about the all process.

Initial configuration:

**/dev/sda1 ext3 /boot
/dev/sda2 swap encrypted with Luks
/dev/sda3 / ext3 encrypted with Luks
/dev/sda4 /var ext3 un-encrypted filesystem
/dev/sdb1 ext3 /home encrypted with Luks
**During install we will make a partition setup with ONLY two partitions

-> /dev/sda1 ext3 Non encrypted /boot
-> /dev/sda4 ext3 Non encerypted /

note : A usb based hdd can be used as a temporary / for this fresh install if no partition is available on the hdd.

Upon install I choose to setup the partitions and then the expert mode to make the above partitions scheme.
I also chose the option to format Both partitions.
This will be the only two partitions on the new install from DVD. The installer complainst about not having swap …ignore it.
After that I simply choose a KDE desktop basic install and let the install proceed.

After the first boot I start to open the encrypted filesystem with:
as root execute:

cryptsetup -v luksOpen /dev/sda3 root
cryptsetup -v luksOpen /dev/sda2 swap
cryptsetup -v luksOpen /dev/sdb1 home

then I make swapon on now opened older swap.

swapon /dev/mapper/swap

I then Mount both /home and /root.

mkdir /mnt/root
mount -t ext3 /dev/mapper/root /mnt/root

mkdir /mnt/home
mount -t ext3 /dev/mapper/home /mnt/home

From the documentation it is obvious that Systemd now handles all the encryption so it is only crucial when installing on and old luks encrypted partition that the mkinitrd let’s the kernel “know” about the root encrypted partition.
And that we make a crypttab file according to what we have in the disk.

So that preparing the next boot on the initial configuration i will make /etc/fstab and /etc/crypttab contain the intial partition setup also to make mkinitrd work accordingly.

so editing /etc/fsab to look like :

/dev/mapper/root     /      ext3    acl,user_xattr        1 1
/dev/mapper/swap   swap     swap    defaults              0 0
/dev/mapper/home   /home    ext3    acl,user_xattr        1 2

note : Place a # in front of / and /boot current lines … if something goes wrong you can still boot the current fresh install as is.

Editing the /etc/crypttab:

root /dev/sda3 none luks
home /dev/sdb1 none luks
swap /dev/sda2 none luks

Now with this files edited I update the initrd:

mkinitrd -d /dev/mapper/root 

And now the final most important step: copy the current / with all changes on /etc/fstab and /etc/crypttab the the initial partition where it should be to maintain the initial partition setup:

first erase all previous /mnt/root

rm -rf /mnt/root/*

the rsync both:

cd /
rsync -AHSXax / /mnt/root/

wait until it is over and reboot …

The first reboot I had the system did ask me for the password but somehow he could not boot.
Then I shutdwon the pc and reboot it again and: Voilá! It worked!

After that I then made the necessary changes like updating all software, kernel inclusive and adding the remaining user and the previous version had (by he same order …uid number the same)
And add all Software missing …

All Fresh all Desktop environment was almost the same …same windows, same desktops, same app’s oppened … same Firefox windows …
the advantage of this update is that is allows for the same desktop environment to remain from one OS to the next …even if like in this case from 11.4 to 12.3!

Regards.

Hi,

Geezz!!! I Never expected to make so many typos and writing errors on the same text :(.
Sorry folks for the errors on the initial text … I was kind of tired when I wrote that.

Also very important that I did not mention previously:

First:

A correction has to be made because the mkinitrd command should have been:

mkinitrd -d /dev/mapper/root -f "dm luks"

Second All the initial install and setup was done Before any update! I have seen on the OS update a mkinird cryptsetup update but that was simply not used since all was done Before the update. Only after booting on the encrypted root partition did I made the required online upgrades. (actually the network card was not even setup … only after the install )

Second:

Also don’t forget that after making the mkinitrd command one must edit the file /boot/grub2/grub.cfg.

In previous thread’s I have tried to make the correct adjustments to the file. I would like to dedicate more time to this issue in order to make a grub template of some sort to make this automatic … but I have no time … so it will be done by hand editing.

If you look into the file the linux /vmlinuz … line that tells the Kernel Were the root partition is and that is by default always written with UUID’s.

In this case this simply can not work since we have to tell the kernel to use the Encrypted Root partition we just changed.

So After issuing the mkinitrd command above I edit the lines on the grub2 /boot/grub2/grub.cfg config file in order to Match the desired results

The linux kernel command line is easy to spot and I just make a # before the original line and them I inserted the correct line into /boot/grub2/grub.cfg:

### BEGIN /etc/grub.d/10_linux ###
menuentry 'openSUSE 12.3' --class 'opensuse-12-3' --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-b8c05d06-718e-450a-8485-5626d248e804' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod ext2
        set root='hd0,msdos1'
        if  x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  68a0ac2d-3d9e-48b8-ada8-01103d712638
        else
          search --no-floppy --fs-uuid --set=root 68a0ac2d-3d9e-48b8-ada8-01103d712638
        fi
        echo    'Loading Linux 3.7.10-1.16-desktop ...'
        # linux /vmlinuz-3.7.10-1.16-desktop root=UUID=b8c05d06-718e-450a-8485-5626d248e804   splash=silent quiet showopts
 ***       linux  /vmlinuz-3.7.10-1.16-desktop root=/dev/mapper/root luks_root=/dev/sda3 luks="root" splash=silent quiet showopts***
        echo    'Loading initial ramdisk ...'
        initrd  /initrd-3.7.10-1.16-desktop
}

As can be seen it is Paramount to place the correct Kernel command line

-> linux /vmlinuz-3.7.10-1.16-desktop root=/dev/mapper/root luks_root=/dev/sda3 luks=“root” splash=silent quiet showopts

on the grub.cfg file

Notice that:
linux /vmlinuz-3.7.10-1.16-desktop root=/dev/mapper/root luks_root=/dev/sda3 luks=“root” splash=silent quiet showopts
is kernel *3.7.10-1.16 not the original 3.7.10-1.1-desktop … this is a copy of the current After update install.
*
This I also done editing the same /boot/grub2/grub.cfg After the usual Online update.
Which lets me make the next point.

Third:

Very important note:
As in all previously installed versions I had every time I make a Kernel update I have to remake this grub config file. The same was true on the previous grub version.
With Grub 2 it’s the same.
After an update grub 2 files are totally re-written with the UUID’s like in the commented line

linux /vmlinuz-3.7.10-1.16-desktop root=UUID=b8c05d06-718e-450a-8485-5626d248e804 splash=silent quiet showopts

that is what the update does to your grub file.
So all care has to be taken in order to avoid a bad boot after an update.
It is a simple matter of making sure the grub file is up-to-date with the correct info and kernel parameter line.

Regards.

Hi,

Oh …almost forgot :

Remaking the /var mount to /dev/sda4 …

After all is set and done … remember :

/dev/sda4 has an entire / filesystem

and to make it all final I made, after the update and booting with / on encrypted /dev/sda3 … → remember that /dev/sda3 also has an entire updated / filesystem

so I simply do:

 mkdir /mnt/sda4var

then

  cd /
  mount -t ext3 /dev/sda4 /mnt/sda4var
  cd /mnt/sda4var/
  rm -rf ./*
  cd /
  rsync -AHSXax /var/ /mnt/sda4var/

synced current var onto /dev/sda4

after that I edit /etc/fstab and add the line:

 /dev/sda4 /var ext3 acl,user_xattr 1 2 

and this time that’s it! I think I did not forget nothing else … I hope …

Regards.

Hi,

Well after a kernel update on one of the migrated boxes a funny thing happened.
I usually remake the /boot/grub2/grub.cfg file in order to make the kernel command line like I explained earlier.
But this time I made an update to a system and forgot to make any changes and rebooted the machine right away.
Strangely enough, or more accurately normally enough, the Kernel up-date changes the grub file accordingly and uses UUID’d to identify partititons.
the funny part is that i go a long way in order to make sure the Kernel command line contains all the commands to make sure Luks encrypted partitions are used and actually explicitly showed to the kernel command line.

This time I rebooted with no grub config remake and! The kernel command line I get Boots the PC with no Problem!!
and the line I have now is the following one:

linux   /vmlinuz-3.7.10-1.16-desktop root=UUID=a3873ea7-b6bd-4929-b97a-e9f419c2788f   splash=silent quiet showopts

No refence there to any luks_root … nothing! Simple plain UUID of the partititon … and it works.

Somehow I think the Kernel handles the partitions correctly even with no Explicit command to do so on the kernel boot command line.

And also I am starting to like systemd more …

Regards,