Well, ok … as a long time Slack/Arch/Debian/BSD user I finally managed to do it, but it wasn’t via official installer, which is * saddening *
Here’s procedure for anyone interrested [should be done via chrooted environment]:
We’d need another Linux installation on the same PC, or livecd/liveusb:
- Install the system as usual [in this case to sda5 partition], on a single disk formatted to whatever filesystem you like.
- Copy the system to an external location [directory] temporarily:
mkdir /tmp/mnt
mount /dev/sda5 /tmp/mnt
mkdir /mnt/data/temporary_dir
cp -ax /tmp/mnt/. /mnt/data/temporary_dir/.
umount -lf /tmp/mnt
- Prepare partition by encrypting it: [this will use strong twofish algorithm]
cryptsetup -y --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda5
- Open LUKS device, format it and mount it:
cryptsetup luksOpen /dev/sda5 opensuse-rfs_decrypted
mkfs.btrfs /dev/mapper/opensuse-rfs_decrypted
mount /dev/mapper/opensuse-rfs_decrypted /tmp/mnt
- Copy the OS back to now-encrypted partition:
cp -ax /mnt/data/temporary_dir/. /tmp/mnt/.
- Chroot into new system:
cd /tmp/mnt
mount -t proc proc /tmp/mnt/proc/
mount --rbind /sys /tmp/mnt/sys/
mount --rbind /dev /tmp/mnt/dev/
chroot /tmp/mnt /bin/bash
then add the info of the encrypted partition to crypttab:
/etc/crypttab:
opensuse-rfs_decrypted /dev/sda5 none luks
… and update fstab as well:
/etc/fstab:
/dev/mapper/opensuse-rfs_decrypted / btrfs rw,errors=remount-ro 0 1
Finally, update initrd to include LUKS hooks:
[remove old initrd from /boot,then:] mkinitrd
Edit grub config to include full boot hooks: [this will make grub to ask about LUKS password twice - before boot menu appears and later during regular system boot]
/etc/default/grub:
GRUB_ENABLE_CRYPTODISK=“y”
Install grub:
grub2-install --root-filesystem=/ /dev/sda
Update grub:
grub2-mkconfig -o /boot/grub2/grub.cfg
- exit chrooted environment and unmount partition, then close encrypted device and reboot the system:
exit
umount -lf /tmp/mnt
cryptsetup luksClose opensuse-rfs_decrypted
reboot
===
To be honest, I think it is a shame that OpenSUSE installer has such limited installation options. It generally expects you to install the system without an encryption, as choosing installation on a LUKS device fails miserably no matter which encrypted scheme you choose … I might add that this is NOT the case in - for example - Debian, on which I have also checked it. Things just work there.
Also, as a side note: default BTRFS installation without encryption works, but then it does NOT allow you to boot into other snapshots [boot process hangs and timeouts on various systemd services]. BUT … that is a whole other topic which I won’t discuss here.
Anyhow, I hope someone will find this short howto useful. It does what I wanted [simple root filesystem snapshots done manually, lack of snapper support, as snapper seems to be NOT working properly, and default BTRFS subvolume scheme is bad [just take a look at postgresql, etc subvols, which most of you won’t even use on a desktop/workstation].