installation encryption options

when installing opensuse 12.3 i wanted the encrypted lvm partition option ,but after entering my password there are no more options/info about this encryption. i assume it’s luks and i would like to select the cipher,hash etc. in cryptsetup myself

  1. what are the default encryption options?
    2 .how can you select them yourself in the installation GUI? i saw a couple of outdated guides for other distros on how to do it in the terminal, but it involved messing with bootloader, initrd and so on. if anyone could post a step by step guide for opensuse it would be much appreciated.

On 2013-05-13 11:26, ambusher wrote:

> if
> anyone could post a step by step guide for opensuse it would be much
> appreciated.

I would have to do an install and look for myself, but I suppose the
options would be behind an advanced button when you create the lvm.


> http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.advdisk.html#sec.yast2.system.lvm

+++··················
Encrypt Device

If you activate the encryption, all data is written to the hard disk
in encrypted form. This increases the security of sensitive data, but
reduces the system speed, as the encryption takes some time to process.
More information about the encryption of file systems is provided in
Chapter 10, Encrypting Partitions and Files (↑Security Guide).
··················+±


> http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.security.cryptofs.html

But that doesn’t talk of lvm at all.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

LVM does not know anything about encryption. It just has device and does not care where this device came from.

I do not think YaST allows you to enter advanced options in this case. You have only one check button “encrypt”, that’s all. So it would imply creating manually encrypted container using needed options and moving installed system to it.

On 2013-05-13 16:26, arvidjaar wrote:
>
> robin_listas;2556483 Wrote:
>> But that doesn’t talk of lvm at all.
>
> LVM does not know anything about encryption. It just has device and
> does not care where this device came from.

I know that.

However, searching for the string “lvm” on the encryption documentation
should work for finding a related paragraph to using lvm on top on
encryption as used by YaST.

> I do not think YaST allows you to enter advanced options in this case.
> You have only one check button “encrypt”, that’s all. So it would imply
> creating manually encrypted container using needed options and moving
> installed system to it.

It does not give options for encryption of a normal filesystem, so it
probably doesn’t give them either for the lvm container.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

but when should the encrypted partition be created and mounted during installation? will the installer recognize it propertly? and do i need to modify the grub bootloader so it knows to ask for the password when booting?

I use an encrypted LVM.

I first create the partition (with “fdisk”). I then encrypt it with “cryptsetup” where options are available. And then I construct an LVM in that partition, using Yast.

When I later go to install, the installer asks if I want to provide the key. I agree, and provide the key.

Next, the installer presents its recommended partitioning, which typically includes deleting the encrypted LVM. I select manual partitioning (I think it’s called “create partitions”). The next screen lists the existing partitions and the LVM volumes. I choose to put root, home and swap in LVM volumes.

I do use a separate unencrypted “/boot”. You will probably need that. I suggest 200-500M (or even 1G if you have plenty of disk space).

The request for the encryption key is handled via the “initrd” (the ramdisk used initially in the boot process). It works fine.

On a reinstall (the next version), I usually use “import partitioning” in the installer. That just uses the partitioning from the previous install.

Added footnote: for a completely new install, I boot with a live CD or live USB to assign the desired partitioning, setup encryption and create the LVM.

On 2013-05-13 17:56, ambusher wrote:

> but when should the encrypted partition be created and mounted during
> installation? will the installer recognize it propertly? and do i need
> to modify the grub bootloader so it knows to ask for the password when
> booting?

That’s uncharted territory, I’m afraid.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

On 2013-05-13 18:16, nrickert wrote:

> I use an encrypted LVM.

> On a reinstall (the next version), I usually use “import partitioning”
> in the installer. That just uses the partitioning from the previous
> install.

I’ll save this for reference, thanks :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

thanks for the info nrickert,
one more question: after i create the encrypted partition, is it ok to just exit the terminal and go back to yast?

If you are talking about the Yast installer, or the Yast partitioner then it probably needs restarting.

i was talking about the yast installer. did you mean they both have to be restarted or only the partitioner? i think the installer can only be restarted by aborting the installation.

I guess you would have to try, and find out that way.

I have always booted separately to live media for setting up an encrypted LVM. And then I would boot to the installation media.