I installed version 15.2 on a laptop (Acer Aspire 3 2019) encrypting the OS partition. Eventually I got it working, but I would like to understand better two issues I had in the process.
The first installation went wrong during the updates, eventually I decided to reinstall everything from scratch, but when I recreated the encrypted volumes the partitioner did not overwrite the previous partitions, it created another partition inside the old one, so at startup (for each partition) it first asked the password of the first encryption and the the password of the second. I tried again, but with no luck, eventually I had to wipe out the partitions with System Rescue CD and then perform the installation. Is it an issue in the partitioner bundled with the installer?
Actually I didn’t try very hard, but anyway I didn’t manage to create a root partition with two logical volumes, BTRF for / and Swap, so now I have two separate encrypted partitions and at startup I have to enter twice the password. Was it something doable within the standard installer?
Stories like yours are often not easy to understand without some hard information on what you have. You talk e.g. about a “root partition” (which is imho a partition that contains the root file system) “with two logical volumes”, which is something completly different.
Thus please post
fdisk -l
and then explain what partition you think is used for what.
And, when you use Logical Volume Manager you could unravel it’s configuration with statements like
pvdisplay
vgdisplay
lvdisplay
BTW, because you are new here, the following might be of interest for the posting of that computer information.
There is an important, but not easy to find feature on the forums.
Please in the future use CODE tags around copied/pasted computer text in a post. It is the # button in the tool bar of the post editor. When applicable copy/paste complete, that is including the prompt, the command, the output and the next prompt.
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Disk model: KINGSTON OM8PCP3512F-AA
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 2099199 2097152 1G EFI System
/dev/nvme0n1p2 966789120 1000215182 33426063 16G Linux swap
/dev/nvme0n1p3 2099200 526387199 524288000 250G Linux filesystem
/dev/nvme0n1p4 526387200 966789119 440401920 210G Linux filesystem
Partition table entries are not in disk order.
Disk /dev/mapper/cr_swap: 16 GiB, 17112047104 bytes, 33421967 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/cr_root: 250 GiB, 268433358848 bytes, 524283904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
I did not change the partition table and the EFI partition is the original one. The nvme0n1p3/4 partitions are BTRFS, one for the OS and private data, one is unencrypted for less important data like videolectures and everything else I could download.
Now they are all primary partitions. What I meant with question 2 is that I was wondering whether it was possible to create nvme0n1p3 BTRFS and nvme0n1p2 Swap as logical volumes inside an encrypted one in such a way that there is only one encryption/decryption step.
Yes. But there’s not enough detail there to know where you went wrong.
Maybe I will try guessing.
It looks as if you are using LVM.
There are two ways you can encrypt with an LVM. You can encrypt the whole thing, so that the physical volume is encrypted. Or you can encrypt individual logical volumes within the LVM. I’m guessing that you have done both (by mistake).
When you reinstalled, it probably asked for the encryption key. And then you probably went to the expert partitioner. And it showed you the encrypted volumes. And it gave you an option to encrypt them. You took that option, and that was the mistake.
When you installed the first time, you did not make that mistake because the installer set it all up from scratch.
I will admit that can be confusing.
When I get to where that happened in the expert partitioner, I always remind myself that the logical volume it is showing me is already inside an encrypted LVM. And therefore I do not need to do an additional encryption.
Okay, I was guessing there. And I may have guessed wrongly. But if my guess was right, then I suggest you go back for another install and see if you can get it right this time. Remember that if your LVM setup is already encrypted, and the installer is showing you the volumes inside, then you don’t need to encrypt them again.
First, please next time include the line with the command (in this case fdisk -l) withing your copy/post. Then we can see what you did and you do not have to type “Here is the output of fdisk -l:”
Then, you call the partitions “primary partitions”. As the partitioning here is GPT, there are just partitions. No primary/extended/logical exist as in MS-DOS partition.
What I understand is that you want to have one partition instead of p2 and p3, make that a LVM Physical Volume, create one LVM Logical Volume Group on it and then create two LVM Logical Volumes inside that Logical Volume Group, one containing a Btrfs for / and the other containing Swap. And then you want the encrypt on the level of the Logical Volume Group with the result of a single password entry.
Now I am not a specialist on encryption of file systems or their logical Volumes, I only tried to get a clear picture for others here.
However what I have encountered some times on the forums here is people complaining about two time passwords is because first Grub has to read it’s config file and the kernel, etc. and then later the system wants to mount the file system. Are you sure that you two time password asking experience is not this one?
Your guess is partly correct, I went to the expert partitioner, but I eventually I did not use LVM because I wanted a mix of encrypted and unencrypted partitions.
But anyway this was the secondary questions, typing twice the password at boot time is a small nuisance. I am a little bit more interested in finding about the first one.
I thought I told the partitioner (in expert mode) to wipe out the old partitions, instead it nested new partitions in the old ones.
I think I would need to have been looking over your shoulder to know what you did.
If you have already setup encryption, and you want to start over – then the best way is to not tell it the encryption key. When it asks for that, just click “Cancel”. Then it won’t see inside your encrypted partition.