Full Disk Encryption with encrypted boot

I currently have an Arch install and am wanting to move to openSUSE. I want to ensure however that I can get the same kind of FDE on suse that I currently run on Arch.

My current setup:
/boot/efi - unencrypted
/boot - encrypted GRUB decrypts at boot
Luks container with LVM holding / /home /var and swap
2nd and 3rd luks container for 2 other HDDs also with LVM inside for media and other things

The boot path is password for boot (for GRUB) then password for root luks container then password for boot again. This is fine with me (since it is how it works now). I also have to manually mount the other luks containers after login as I don’t want them open/mounted for ANY user just for me. I basically use them as extensions for my /home directory. Music/Video/Documents/Downloads etc. I would love to have this be fully automated if at all possible just having password prompts for them.

I will be playing with the installer tonight but I want to see if there is anyone else that runs this kind of setup and make sure I know what I can and can’t do with openSUSE. I am guessing that I can do this because -linux- but I didn’t know if it was something that I’d have to hack or if there are installer options for this.


For Leap 42.1, I am using an encrypted LVM but “/boot” is unencrypted. I also have another encrypted partition, but in my case I have that automatically mounted during boot (same encryption key as the LVM).

On a different computer, I have Tumbleweed installed in an encrypted LVM, with “/boot” within that encrypted LVM (as part of the root file system).

As far as I know, you should be able to do what you want, but with two provisos:

  1. The way it is handled is a little different from the way arch does it;
  2. I’m not completely sure about Leap. I seem to recall that there’s a bug report about this issue, and I’m not sure if the fix has been released. In any case, the fix is not on the installer.

You have not indicated whether you use secure-boot. I’m guessing that you don’t, because arch doesn’t really provide for that. If you accept the install defaults, which include secure-boot support, then it is possible that you might need to copy the “grub.efi” from Tumbleweed to your “/boot/efi/EFI/opensuse” directory. And it is possible that you might need a simple edit of “/boot/efi/EFI/opensuse/grub.cfg” in order to have grub unlock “/boot”.

My personal suggestion is to create the encrypted LVM before you start the install. That gives more flexibility than attempting to do it during the install.

Why? You can create encrypted LVM during installation as well, has been possible for as long as I remember. What is different when you create it before?