As a new Linux user, I find the whole partitioning and encryption business in Linux is rather complicated. Of course, you can simply use a guided partitioner in OpenSUSE (or similar easy setups from other distributions) and just check the mark to encrypt the device, but this doesn’t do exactly what I want.
And what I want is (from most important to least):
- Full encryption of all my internal partitions/drives. From what I’ve read the only thing you can’t encrypt is efi partion. Is that correct?
- No need to enter a password separately for every encrypted partition.
- Ability to suspend to disk.
- Flexibility to expand/shrink encrypted partition if necessary. And to add new encrypted internal drives without the need to enter separate password for them on boot.
- Easy reinstall.
Some layouts I consider:
- Single encrypted BTRFS partition, no lvm
From my research, I think a single btrfs root partition without a separate home must be what I want. It is flexible - you don’t need to preallocate space for root and home. And I believe, it is easy to reinstall - if you reinstall the system the installer should recognize @home subvolume and not destroy/overwrite it, but mount it as a new home, at least if you use btrfs on your new installation too. Correct?
It will be nice to have everything including swap on one btrfs partition. Cause if you have swap on a separate partition then you have to encrypt it separately, and use a separate password to unlock it, right? (I am aware that of lvm, but we don’t use it in this layout).
It is easy to create a swap partition in installer, but is it possible and how to create a working btrfs swap subvolume? And can we then use it to suspend to disk?
From what I understand you can expand a btrfs partition and add new drives in it. But since we have an encrypted btrfs partion, in another words a partion in an encrypted LUKS container, we can’t expand it or add new drives in it it, because we cannot expand a luks container, unless it is inside an lvm, am I correct?
So, if we add new drives that we want to encrypt in this layout, we have to encrypt them separately, and enter separate passwords for them on boot, right?
- Single encrypted LVM partition.
Say now we have a btrfs partion like previously, but inside an encrypted LVM.
Now we don’t have to worry about separate swap a partition, because it is inside an encrypted LVM anyway.
On the other hand I’ve read that LVM makes data recovery from LUKS encrypted partitions much more difficult. And we still can’t expand it, because it is encrypted, right?
Also, with btrfs, LVM feels redundant, because btrfs has all the features of LVM, such as flexible partioning, snapshots, etc.
- LUKS on LVM. Volume group with multiple LVs, that have luks encrypted partitions inside them.
For example we have an LV that contains encrypted root partion, and we can have an LV for another drive. That way we can expand our LVs and encrypted partions they contain, but we still need to have separate passwords for other drives, if I understand correctly. And this whole setup is quite complicated.
Possible solution for entering password multiple times with multiple partitions:
The disadvantage: you now have an encryption key in a file in the root file system. And you also have it in the “initrd”. The more copies, the more likely that it will leak. However, the file in the root file system is readable only by root, and the “initrd” is readable only by root. So some folk think this is a reasonable approach.
If you later install Xen support on a UEFI machine, the “initrd” will be copied to the EFI partition. And that make it readable by anyone with sufficient access to your machine. So the encryption key has been made more readily accessible, which is risky.
It comes with security compromise. And entering the password twice is fine by me then.
But if we have more than 1 encrypted partition we would have to type password more for every additional partition we have. It seems one (and only?) way to avoid this is to create a keyfile somewhere in the root partition and configure cryptab and fstab to automatically use it to decrypt other partitions after the root partition is decrypted. **It seems it doesn’t come with all security compromises of decrypting the root with keyfile, because for non-root partitions, we don’t add keyfiles to initframs. Is that correct?
In overall, does what I wrote here makes sense? What partitioning and encryption layout can you suggest given my requirements? Something I described above or something else? If you use encryption yourself, how do you paritition you drives?