I installed a system with partition encryption. At the same time, it asks for a password twice, first for grub and then again for the disk, why is this not solved by default in the distribution?
Maybe because that would compromise security?
What is the security if the password is the same in the second case
Because then it is only in your head, but when Grub has to forward it one way or the other to the kernel, it must be somewhere on the system. Can one be sure that is never compromised?
In fact I only guess, because I am not really the designer of this. Neither are the other openSUSE users here. Better ask on a place where developers lurk?
But maybe someone active here knows more details. Just wait and see.
There is information about this in the Wiki:
SDB:Encrypted root file system
and then scroll down to the heading: “Avoiding to type the passphrase twice”.
I’ll note that I have a Tumbleweed VM setup that way, and it is working fine. However, on real hardware I prefer to enter the password twice, because I consider that more secure.
(added in edit): That Wiki entry is for an encrypted root partition. However, my VM is using that method with an encrypted LVM (which includes root file system, “/home” and swap).
Thanks, I didn’t see that on the wiki.
It says that you can’t leave the partition unencrypted, but I have it encrypted. So I think the security is up to the mark since the key is stored in the root folder and permissions are 700 to /boot
The key is also copied into the “initrd”. Be cautious with that. If you are using UEFI and install Xen support, then the “initrd” is copied to the EFI partition, which is not encrypted.