Luks encryption and btrfs snapshots

bonedriven · June 4, 2017, 2:04pm

Hello,

It seems when you use both luks encryption for the whole drive (except EFI and boot partition) and btrfs snapshots, the snapshots will not appear in grub menu at all.

Therefore when things get broken and you can’t boot, those snapshots won’t save you.

That being said, one should not use Btrfs snapshots feature with luks encryption together, right? :’(

arvidjaar · June 4, 2017, 6:24pm

That’s correct, if /boot is on separate partition snapshots are disabled (because then you cannot revert to previous kernel). /boot on LVM on LUKS partition is supported so nothing prevents you from using snapshots. I do not know what default proposal installer makes today but you can always delete /boot partition in expert mode even if installer defaults to separate /boot.

bonedriven · June 4, 2017, 6:30pm

If /boot is inside luks, then I found I need type luks password twice, one for grub and one for partitions…Or did I do sth else wrong?

arvidjaar · June 4, 2017, 7:35pm

That’s correct. There is no mechanism to pass passphrase from bootloader to kernel (or initrd); passing it on kernel command line is obviously not an option. In principle it is possible to put passphrase in keyfile in initrd (it is stored on encrypted partition, so protected just as the rest of your files).

homteg · September 10, 2017, 7:36pm

Can this be installed at all?

I’m trying Leap 42.3 installation. The default is to create a separate /boot so I couldn’t boot from snapshots. Thus I decided to delete the /boot partition and let it be a part of the encrypted /. When I try and install that though, I get the following error:

Failure occurred during the following action:
Setting up encrypted dm device on /dev/sda3

VOLUME_CRYPTSETUP_FAILED

System error code was: -3034

Continue despite the error?

Any idea?

arvidjaar · September 13, 2017, 7:49pm

I tried to reproduce it but it works in my case (at least, I’m past disk setup and it’s installing packages now). My best guess is that you had encrypted partition left from previous attempts - I have seen multiple reports that installer gets confused when disk is not really empty. Note that it may not be enough to recreate partition table - having same partition layout may again expose old partition content. You really need to wipe out signatures on every partition (and possibly logical volume).

homteg · September 20, 2017, 4:54pm

So it’s not possible without destroying other partitions? I have another OS installed and would like to keep it.

arvidjaar · September 20, 2017, 6:24pm

I did not say that. I do not know what causes this error; so I this was only guess based on similarities in reports of others. If you want to know for sure (and hopefully fix it) - open bug report and attach YaST logs.