Luks encryption and btrfs snapshots


It seems when you use both luks encryption for the whole drive (except EFI and boot partition) and btrfs snapshots, the snapshots will not appear in grub menu at all.

Therefore when things get broken and you can’t boot, those snapshots won’t save you.

That being said, one should not use Btrfs snapshots feature with luks encryption together, right? :’(

That’s correct, if /boot is on separate partition snapshots are disabled (because then you cannot revert to previous kernel). /boot on LVM on LUKS partition is supported so nothing prevents you from using snapshots. I do not know what default proposal installer makes today but you can always delete /boot partition in expert mode even if installer defaults to separate /boot.

If /boot is inside luks, then I found I need type luks password twice, one for grub and one for partitions…Or did I do sth else wrong?

That’s correct. There is no mechanism to pass passphrase from bootloader to kernel (or initrd); passing it on kernel command line is obviously not an option. In principle it is possible to put passphrase in keyfile in initrd (it is stored on encrypted partition, so protected just as the rest of your files).

Can this be installed at all?

I’m trying Leap 42.3 installation. The default is to create a separate /boot so I couldn’t boot from snapshots. Thus I decided to delete the /boot partition and let it be a part of the encrypted /. When I try and install that though, I get the following error:

Failure occurred during the following action:
Setting up encrypted dm device on /dev/sda3


System error code was: -3034

Continue despite the error?

Any idea?

I tried to reproduce it but it works in my case (at least, I’m past disk setup and it’s installing packages now). My best guess is that you had encrypted partition left from previous attempts - I have seen multiple reports that installer gets confused when disk is not really empty. Note that it may not be enough to recreate partition table - having same partition layout may again expose old partition content. You really need to wipe out signatures on every partition (and possibly logical volume).

So it’s not possible without destroying other partitions? I have another OS installed and would like to keep it.

I did not say that. I do not know what causes this error; so I this was only guess based on similarities in reports of others. If you want to know for sure (and hopefully fix it) - open bug report and attach YaST logs.