Remote unlock full disc encrypted MicroOS installation while keeping snapshots fully working

Hello everyone,

I’m currently evaluating MicroOS for a server installation where I want to use full disk encryption while also being able to unlock the system via SSH on boot and have the neat full system snapshot feature working.

I found this to add sshd to the initrd. But in my test installation I could not use the partitioning scheme created by the installer for this. When enabling encryption the installer creates an encrypted partition that contains the root btrfs filesystem including /boot. So on boot I have to enter the encryption password in grub before initrd even starts. To circumvent that I created a separate unencrypted partition that contains /boot. In this case it seems the system snapshots don’t contain the kernel and initrd image even if the /boot filesystem is also btrfs.

So is there a way to have full /boot snapshots working if it resides on a separate btrfs filesystem from the root fs? Or is there another way to achieve unlockability on boot via SSH while retaining full snapshot functionality?

Thanks!

openSUSE does not support it.

You could have initrd that unlocks real root and kexecs into it. This initrd can add key to unlock LUKS volume to the main initrd (which is effectivley what grub does). The initial kernel version in this case does not matter because you will be loading kernel from the real root anyway. This project seems to implement some tools around this idea:

You will need to additionally implement some logic/UI to choose the kernel to load.

Or you could let grub to unlock root via TPM to allow it to load kernel/initrd directly from the main root.

Unlocking of LUKS-encrypted volumes by using TPM 2.0 - English / Install/Boot/Login - openSUSE Forums