Full-disk encryption after install

Hi,

I’ve got an installation of tumbleweed running and would like to encrypt it. (Full disk, not just /home)
From what I’ve researched so far, the best way to achieve full-disk encryption in my case is to backup my data and re-install with LVM and encryption enabled.
Most guides suggest, to only backup /home and do the rest of the installation completely new. However, I’d strongly prefer to restore my whole installation and just ‘merge’ what is necessary to have encryption working.

So, my question is, what steps would I need to take, before/after restoring my ‘old’ installation into the encrypted container.
Which files do I need to backup to preserve settings for encryption? Which commands do I need to run afterwards? (i.e. mkinitrd)
Any other things I should look out for?

Thanks for any help!

In all honesty, backup “/home” and reinstall is easiest.

To do without reinstall:

First, is “/boot” going to be inside the encrypted LVM or outside? If outside (a separate partition) it will be easier. If you want it to be inside, then you will need

GRUB_ENABLE_CRYPTODISK="y"

in “/etc/default/grub”.

You will need to update “/etc/fstab” to reference the new file system arrangement. And you will also need to make corresponding changes in “/etc/default/grub” (the root file system and the swap file system used for resume after hibernate).

You need to add the needed entries to “/etc/crypttab”.

Then you will need to mount your system, and enter it in “chroot” mode. Then you will probably need to reinstall grub, run “mkinitrd”, and then use “grub2-mkconfig -o /boot/grub2/grub.cfg” to rebuild the boot menu.

There are probably lots of ways that this can go wrong.

If you are using LUKS encryption I would suggest it’s not stable to use. I have two opensuse TW system both broken down now. I’m not sure if it’s LUKS, kernel, or LVM bugs but they don’t get along. And it is not the first time LUKS encryption causes problem to my systems. The previous problems seemed to be fixed after a few weeks but these bugs just keep haunting the system. What’s worse is that when they happen, it gives thrilling boot failure.

I’m considering using veracrypt etc to encrypt the drive instead as they should be less entangled with the system itself.

Hi,

thanks for the advice given!

I’ve decided to opt for the new-installation method and then restored what I wanted from the old installation. Here are my steps:

  1. create user-packages.xml in yast2 software management via File-> Export
  2. create image of the whole disk, preserving permissions. (I’ve created an image file and then rsynced everything into it)
  3. Install openSuSE Tumbleweed. (I’ve had to do partitioning manually, because it always wanted to give me an unencrypted /boot. My advice is to let Yast create the partition setup, see how it works, then create your own container without a /boot, Yast will install grub properly, so the system will boot)
  4. restore my repositories from the backup (etc/zypp/repos.d) and import the previous packages via Yast.
  5. restore config files in /etc (i.e. printers, boot.local, sudoers, …)
  6. Since I’m on an SSD: Enable discards! (add allow-discards to /etc/crypttab and discard to /etc/fstab, please see a proper guide for details)
  7. use rsync to restore my /home (Important: Log-out as the user and use a tty as root)

All in all, the process was relatively fast and also removed some left-overs that may have accumulated in my previous install.

If you succeeded, are u using EFI or BIOS legacy?

It’s on a legacy BIOS system.

Hi, I’ve meanwhile switched to a system with UEFI and full disk encryption is entirely possible there as well. It needs to be done a little differently thoguh.

I’ve used this article as a baseline.

In short, what you need to do in the partitioner is:

  1. create a UEFI Boot partition as vfat (if you dual-boot with windows, it is already created)
  2. mount the partition above as /boot/efi
  3. Create a second partition for which you choose encryption and format it as ext2-4 about 500MB in size and mount it as /boot
  4. Then create a final empty volume for LVM, enable encryption on it as well and do your partitioning inside with logical partitions. (i.e. one swap and one root partition) and mount them accordingly.

This way, you get full-disk encryption on UEFI.

A remark: On my laptop, I had to enable legacy boot before being able to start the Tumbleweed installer. When you do the partitioning manually and in the summary screen force yast to use Grub2-EFI, it will do everything correctly despite complaining that the system type doesn’t fit.
The only thing is, that after installation you need to switch back to UEFI boot and one time manually select the opensuse bootmanager to boot with. Once this first boot is done, just re-run the grub setup in the system to get it properly configured as the main way to boot.

Bonus Tip from here in Windows on an elevated cmd shell execute:

bcdedit /set {bootmgr} path \EFI\opensuse\shim.efi

to make Windows stop competin with grub for bootloader dominance.

Finally, if you are on an ssd, make sure to allow discards as explained here.

Hope this might help someone in the future :slight_smile:

Whether that is needed, depends on your BIOS. I have not needed to do that.

Bonus Tip from here in Windows on an elevated cmd shell execute:

bcdedit /set {bootmgr} path \EFI\opensuse\shim.efi

to make Windows stop competin with grub for bootloader dominance.

Again, that’s BIOS dependent. My Dell desktop has that problem, though I found a different way around it. My other UEFI box is better behaved, so I don’t need that fix.