Partition Table for encrypted LVM

I need a correct example of a partition table for an encrypted lvm of opensuse 13.1. Unfortunately, I can not install it the normal way because there is a warning that no root file system was defined, so therefore I need to set up the partition by my own.

I will do it that way:

/dev/sda1 /boot
/dev/sda2 swap This will become the encrypted swap.
/dev/sda3 /home This will become the encrypted root.
/dev/sda4 / This will become the encrypted home.

Please tell me the size of every single partition and should the partitions be formatted as ext4?
I don’t know how large should for instance be /boot, I have 250GB free space.

On 2015-09-04 14:26, joslinke wrote:
> I need a correct example of a partition table for an encrypted lvm of
> opensuse 13.1. Unfortunately, I can not install it the normal way
> because there is a warning that no root file system was defined, so
> therefore I need to set up the partition by my own.

You need a /boot partition (say, half a gigabyte), and the rest a single
partition used for encrypted LVM. Inside the LVM there will be “spaces”
for “/”, swap and “/home”. But not partitions.

YaST should be used to do this, it is far easier.

Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

The first time I did that, there was a box I could check to use an LVM. And the next screen had a box to check for encrypting that LVM. That was back with opensuse 11.4 (if I remember correctly). I think similar options are available.

Since then I have preferred to have more control. So I create the LVM in advance.

For what you want, I suggest:

/dev/sda1: Use that as “/boot”. Make it 500M in size.
/dev/sda2: The rest of the disk goes here. This will become the LVM.

To actually create the LVM, I recommend using Yast. Boot live media (such as the 13.1 live rescue CD), and then run Yast Partitioner.

If you have not already done so, then first create “/dev/sda1” at 500M, and “/dev/sda2” as the remainder of the disk.

For “/dev/sda2”, click the box to encrypt the file system. You should be prompted for a key. Make sure that you remember the key that you provide. Also, use only ASCII characters (can include spaces) for the key.

Then click on Volume Management.

In volume management, the first thing you will need to do is create an LVM. Unfortunately, I don’t see the screen for an empty disk, because I already have an LVM. You have to give the volume a name, and then add “/dev/sda2” to that LVM.

Once that is done, you use the “Add” button to add volumes (carve the LVM space into volumes). You will need swap, root and home (suggested names for the volumes).

You did not tell us the size of your disk or how much memory. For the “swap” volume set the volume size to maybe 4G, or to the size of your memory. Set it to be formatted as swap, but not mounted. For “root” volume, I suggest 40G as size, assuming that you have plenty of space on the disk. For a small disk, try 20G or even 10G. If you use less than 40G, then format as “ext4” but set to not mount. If you have a large enough disk you might want to try “btrfs”. But, in that case, perhaps you should leave the root volume unformatted (to be formatted during install). And if the disk is large enough, maybe 60G might be a better size for the root volume if you plan to use “btrfs”.

Put all of the remaining space into the “home” volume.

Click the “Finish” button, and Yast partitioner should complete the job.

When you are ready to install, the installer will propose partitioning. It will propose to destroy what you have just setup. So select the option “create partitioning”, followed by the option to use “expert partitioning” (or maybe that says “custom partitioning”).

Before you get that far in install, you should have been prompted for the encryption key. Enter that when requested.

At the custom partitioning screen, you should see a list of partitions and LVM volumes.

Right click on the LVM volume for root, and select “Edit”. Set that volume to be mounted as “/” and to be formatted.
Right click on the LVM volume for “swap” and select “Edit”. It may already be set to be mounted as swap, in which case you can click “finish” without doing anything to swap.
Right click on the LVM volume for “home”. It was probably already formatted when you setup the LVM. You need to set it to mount to “/home”.
Right click on the line for “/dev/sda1”, and set it to be formatted and mounted as “/boot”. I usually recommend “ext2” for “/boot”.

Inspect everything, to make sure you have it right. Then accept the resulting partitioning setup. Then continue with install.

Okay, that looks a bit complex. Up until the final stage of install, you can click “Cancel” or “Abort”. That gets you out with nothing changed on the disk. So you can afford to make a few trial runs if you want.

It will seem a lot easier in future, when you already have experience with this.

I hope that helps.

Thank you for detailed answer. I will try installation with Live CD, I didn’t use YAST in Live CD Environment so far, nevertheless it seems a bit easier to me, too.

I have one question. You wrote

For “root” volume, I suggest 40G as size, assuming that you have plenty of space on the disk. For a small disk, try 20G or even 10G. If you use less than 40G, then format as “ext4” but set to not mount.

Why shouldn’t I set up a non mounted smaller root space? Is this really of importance not to mount a small (10GB) root space. A bigger one you can mount and a smaller one not?

Sorry for the confusion. I did not explain well enough.

The reason for non-mount at this stage, is that you are running a live system from CD or USB. So you don’t want to mount to that live system. You just want to create everything.

During the actual install, you will need to specify that the root file system be mounted.

As for the size - those were only recommendations based on what I do. I don’t know how you intend to use the system. If you plan to use “btrfs”, then you need a bigger partition. However, for 13.1, the default is to use “ext4”. I allocate 40G for the root file system just to have plenty of spare space. If you are tight on space, use less.

Checking my actual usage, I am using around 10G of space in “/”, with 30G free. I do install KDE, Gnome, XFCE and LXDE. And I also install “latex” which probably uses 1.5G or more disk space. If you plan on only one desktop and won’t install anything as large as “latex”, then 10G should be sufficient. You can probably manage with 5G, but that can get tight if you decide to install other software.

In truth, nobody can make those decisions for you. We can only make suggestions, because we don’t know how you will be using the system.

I have created sda1 and mounted it as /boot, but what should be the mounting point of sda2. That is my problem now. I dont think about the spaces (/home /root etc) on sda2 but where should I set up the mounting point of sda2 during creation process in YAST. I think I should mount sda2 just as /.

I could install it. But Opensuse disappeared in UEFI after updates, also Ubuntu installed on sdb disappeared in UEFI. I checked with Live CD the partitions are still there but they are not listed in UEFI anymore. I think this is a UEFI bug. An encrypted Opensuse 13.1 doesn’t work with my UEFI. I hate UEFI.

No, you don’t mount “/dev/sda2”. That’s the disk space allocated to the LVM structure. There are virtual volumes inside, and those virtual volumes are mounted.

You did not mention that you have a UEFI box.

With UEFI, you need an EFI partition (a FAT partition of around 500M is fine, but flagged as an EFI partition). Also, the installer will insist on using GPT partitioning rather than legacy MBR partitioning.

You also failed to mention “/dev/sdb” previously. Maybe there’s already an EFI partition there.

Yes, I didn’t mount sda2. Unfortunanetly, on Ubuntu there was already in sdb2 the entrance /boot/efi. I forgot completly about UEFI, there were no problems with encrypted LVM in Ubuntu, I thought Opensuse would install /boot/efi automatically. Nevertheless stupid UEFI makes life for linux users so much harder.

Depending on BIOS settings, you can boot the install DVD in UEFI mode or in Legacy mode.

If you boot in UEFI mode, then it should already try to mount the EFI partition as “/boot/efi”. But I guess it could possibly get confused and need some hints in the partitioner. Using “/dev/sdb2” as “/boot/efi” should work.

By now, I’m unsure on what you have and where you are stuck. Maybe you can provide the output from

# fdisk -l

Put the output in a code block. The “fdisk” command in available on the install DVD, though you might have to boot it into rescue mode. You can mount another USB to save the output. Or even mount that EFI partition somewhere, and save into a text file somewhere there.

I have made a clean install of Ubuntu again. I couldn’t recover the system in Rescue Mode because there were some error due to encrypted LVM, a file was missing. There is still Opensuse installed on sda. I think that only a clean install would help here, too, because I didn’t create /boot/efi. I don’t have any imporant data there, so I can reinstall it without any problems. My concern is that when I edit or delete sda to make /boot/efi, then Ubuntu could disappear on sdb again. Therefore I have changed in /etc/default/grub the entrance GRUB_DISTRIBUTOR to “Ubuntu_PC”. It should create a permanent start path in /boot/efi for Ubuntu that can not be overridden.

The installation works. But every time I install Opensuse or any other Linux distro on sda it disappears in UEFI on the other harddrive. This problem only occurs when both system are encrypted. Please tell me someone how I can recover Linux in UEFI or how I can set up Linux that wouldn’t disappear after installation of a new system on other harddrive.

I am having difficulty understanding what “disappears in UEFI on the other harddrive” actually means.

We need a better description of what you are looking at and what you are seeing.

It occurs to me that maybe your problem is that there is no menu entry to boot ubuntu from the opensuse boot menu, and no menu entry to boot opensuse from the ubuntu boot menu.

That happens because “grub2-mkconfig” (or “grub-mkconfig” on ubuntu) cannot look inside an encrypted partition.

One way around this is to open the encrypted LVM before you run “grub2-mkconfig”:

# cryptsetup luksOpen /dev/whatever virtual-device-name
# vgchange -a y

That makes the logical volumes inside the encrypted LVM visible. Now run

# grub2-mkconfig -o /boot/grub2/grub.cfg

The other alternative, which I prefer, is to add entries to “/etc/grub.d/40_custom” to boot the other system. I normally use a “configfile” directive for that.

I will try it out. I hope something will help. Somehow Linux can not deal with two encrypted LVM or it is an UEFI bug.

I tried this command in Rescue mode, too.

  efibootmgr --create --disk /dev/sdb --part 2 --label "com" --loader \\EFI\\ubuntu\\shimx64.efi  

It worked, there was an entry in UEFI again, but I couldn’t boot anymore. The operating systems didn’t start, no Grub was available. On the screen I saw the message: No OS selected please reboot and select one. Rebooting and selecting OS didn’t help, the error remains although Opensuse and Ubuntu entries were in UEFI. How can this happen?

I have two computers with two encrypted LVMs. Linux does not have a problem with that.

UEFI bug? Maybe. You haven’t clearly explained the problem.

A UEFI system keeps boot entries in NVRAM (no volatile memory). You can display the current list with

# efibootmgr -v

On one of my computers, the Dell BIOS only wants to keep one entry. So if I install a second system, the NVRAM entry for the first will disappear. Fortunately, I can still boot that system with an entry in the grub menu.

Perhaps that’s the problem you are seeing. There are workarounds for dealing with it.

I could solve the problem with the command mentioned

   efibootmgr --create --disk /dev/sdb --part 2 --label "com" --loader \\EFI\\ubuntu\\shimx64.efi  

I have reinstalled the system and executed this command again. I think it didn’t work first time because there were two entries, I typed the command two times. Indeed it didn’t work because there were no entries in NVRAM.

The problem occured when I installed an encrypted LVM OS on sda and then also an encrypted LVM OS on other harddrive. After that there were no entries in UEFI of the first system anymore.

You might be having problems with the UEFI firmware. But that can’t be due to the LVMs, since the firmware doesn’t know about those.

On the computer where I am typing this response (call it Computer A):
“/dev/sda” contains Windows 8.1
“/dev/sdb” contains an encrypted LVM (which I am using to type this answer)
“/dev/sdc” contains another encrypted LVM, which I boot from time to time.

So having encrypted LVMs on different drives is not causing a problem.

On another computer (call int computer B), there’s an encrypted LVM on “/dev/sda”. And there’s another encrypted LVM on “/dev/sdb”. And, again, this is working. (I don’t have Windows on that box).

On computer A, UEFI NVRAM entries sometimes disappear. That’s a firmware problem. I have learned how to deal with it.

Computer B has the reverse problem. If I delete an NVRAM entry with something like

# efibootmgr -b 3 -B

that deleted entry will reappear after reboot. That’s a different firmware problem. I have learned how to deal with that, too.

There seem to be variations in how well the UEFI “standard” is implemented.

For both computer A and computer B, I have settled on a method that works for me. I have several linux installs. In effect, I make one of those the master for booting. And I make sure that the boot menu for that one allows me to boot the others. But it can get complicated. An update on one system might reconfigure the UEFI firmware, so that my master boot menu doesn’t show up. Then I have to fix it again.