fully encrypt both SSD and HDD at install - ext4, LVM, GPT

I’m looking for a tutorial similar to the following article, but for opensuse and using ext4 (not btrfs) with GPT partition tables.

Full disk encryption with Btrfs and multiple drives in Ubuntu · Bryce Nyeggen’s blogI will be using Tumbleweed amd64 with an Asus Z170-A motherboard. I would like to use secure boot.

I have an SSD and HDD. Both should be fully encrypted. Both should be accessible by entering a single passphrase on bootup. (A key on a USB stick would be acceptable too.)

The SSD will hold these partitions:

/boot (I assume unencrypted)
/ (root)
/home
and all the usual directories in the Linux file system

The HDD will be mainly for pictures, audio, video, .deb files, zipped files, backups, etc.

Can anyone tell me how to go about doing this with the expert partitioner? I would also like to use LVM (for its snapshot feature) since I won’t be using btrfs. I’m open to all suggestions as to the best practices, etc. (I could even be talked into using btrfs I guess, but my feeling is that it’s not quite ready to be trusted with all the data I can’t lose.)

BTW, this article convinced me to go with Tumbleweed:

How to move to openSUSE Tumbleweed | CIO
http://www.cio.com/article/2923322/linux/how-to-move-to-opensuse-tumbleweed.html

Installer can create full disk encryption based on LVM automatically. Make sure to label disk as GPT before starting installer (you do not need to create any partition, just that installer sees GPT). Then during installation on partition proposal click Edit and enable “Encrypt”.

I do not know why installer does it only for GPT and not for MSDOS partition label.

You can also do it everything manually by going to Expert Partitioner.

You do not really need separate /boot (grub2 is capable of reading LUKS) but then you will need to enter passphrase twice to unlock encrypted container - first in GRUB and then in Linux.

I don’t see any option to include the HDD (my 2nd disk). It sets up the first disk (sda) but doesn’t offer to encyrpt the 2nd. I’m looking for an easy way to make both storage devices become accessible after entering the encryption passphrase only once.

Do you know of a step-by-step tutorial for what I’m trying to do?

You can always partition it later after installation.

So I guess there is no easy way to do what I’m trying to do? Mainly, I want everything encrypted, but I only want to have to enter the decryption passphrase once at system startup.

I had a look at the expert partitioner. It’s a very nice tool. However, even with it, I can’t see how to easily do what I’m trying to do. I went through all the steps, but I could not encrypt the “/” file system. The expert partitioner says it isn’t allowed. So I ended up with /boot, “/”, swap, /home, and /storage. /home and /storage are encrypted.

This isn’t what I wanted because there are two encryption passphrases and the “/” file system isn’t encrypted.

Yes; yast partitioner does not allow encryption of partition used for filesystem. You can encrypt partition used for LVM. Using yast partitioner is hit and miss here - sometimes check box is not active, sometimes it is; I had to jump back and forth several times before I was able to activate encryption. That is why using default proposal is more easy.

If you want “/” to be encrypted, you will need to use an encrypted LVM. I’m doing that, and “/”, “/home” and swap are all part of that encrypted LVM.

If you also want to encrypt a partition on another disk, just use the same encryption. During boot, “plymouth” prompts for encryption key. It then tries that key for all encrypted partition.

As an example, I have a large “/shared” partition on another disk. It uses the same encryption key as my LVM. I am only prompted once for the key.

You will need a separate unencrypted “/boot”. Otherwise you will have to enter the encryption key twice.

You can setup the partitions and encryption before install, if you prefer. You will be prompted for an encryption key early in the install procedure. During install, ignore the proposes partitioning, and click “Create partitioning”. Then click “Custom partitioning” on the next screen. You will be presented with a list of partitions and LVM volumes, which you can assign to use appropriately. But you still cannot use an encrypted partition for “/”, though you can use a logical volume within an encrypted LVM.

LVM is a container that can hold and expand across drives multiple partitions. The LVM container can be encrypted you can stuff all into the container or split out /boot. There is never any sensitive data on /boot it just holds the kernel and boot stuff. Doing that you only have to enter the password once.