[opensuse] Encrypted root, two disks
Hello, I'm used to use encrypted root (using LVM containing root and swap) on my notebook. I just added mSATA disk to it, so that I'd like to have / on mSATA SSD and /home on older slower HDD. And I wish it encrypted. So how to do it? If I use LVM, all data would be everywhere, but I wish system on SSD and my data on HDD. If I'd create two or more separated encrypted partitions, I'd have to enter more passwords during startup, which is bit uncomfortable. Is there any other solution? Thanks in advance, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 12:00, Vojtěch Zeisek wrote:
Hello, I'm used to use encrypted root (using LVM containing root and swap) on my notebook. I just added mSATA disk to it, so that I'd like to have / on mSATA SSD and /home on older slower HDD. And I wish it encrypted. So how to do it? If I use LVM, all data would be everywhere, but I wish system on SSD and my data on HDD. If I'd create two or more separated encrypted partitions, I'd have to enter more passwords during startup, which is bit uncomfortable. Is there any other solution?
Interesting problem. The method used by YaST, which is understood properly by the system, is one single encrypted partition, visible on /dev/mapper/, which has inside one LVM space (sorry, I'm not conversant with the correct LVM terminology), and inside that LVM, you find out the three traditional "partitions": root, home, swap. You get prompted for the password just once because there is really only one encrypted partition. I don't use this setup because I do not like LVM. In that case, the method is having separate partitions instead. Few people have reported using full system encryption without LVM, with separate partitions (I can not locate a current full description of the procedure), and one of the problems mentioned (besides YaST being unable to set it up, and possibly difficulties with system upgrade?), is that the boot system asks the password for each partition, even if they are the same. I believe there is a bug on this. I heard that plymouth can handle that situation, but as I always remove it, I can't say for sure. I don't know if this helps you. As I see it, you have to set this up yourself, without LVM. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Hello Dne St 2. dubna 2014 13:02:39, Carlos E. R. napsal(a):
On 2014-04-02 12:00, Vojtěch Zeisek wrote:
Hello, I'm used to use encrypted root (using LVM containing root and swap) on my notebook. I just added mSATA disk to it, so that I'd like to have / on mSATA SSD and /home on older slower HDD. And I wish it encrypted. So how to do it? If I use LVM, all data would be everywhere, but I wish system on SSD and my data on HDD. If I'd create two or more separated encrypted partitions, I'd have to enter more passwords during startup, which is bit uncomfortable. Is there any other solution?
Interesting problem.
The method used by YaST, which is understood properly by the system, is one single encrypted partition, visible on /dev/mapper/, which has inside one LVM space (sorry, I'm not conversant with the correct LVM terminology), and inside that LVM, you find out the three traditional "partitions": root, home, swap. You get prompted for the password just once because there is really only one encrypted partition.
Yes. And as far as I know, there is now way how to keep root only on certain physical device. That is the point. I wonder how this works in brtfs (I don't know much about this FS), as it has LVM functionality build in.
I don't use this setup because I do not like LVM. In that case, the method is having separate partitions instead. Few people have reported using full system encryption without LVM, with separate partitions (I can not locate a current full description of the procedure), and one of the problems mentioned (besides YaST being unable to set it up, and possibly difficulties with system upgrade?), is that the boot system asks the password for each partition, even if they are the same. I believe there is a bug on this. I heard that plymouth can handle that situation, but as I always remove it, I can't say for sure.
I wouldn't expect big issues with such setup, beside need for repeated enter of pass-phrase.
I don't know if this helps you. As I see it, you have to set this up yourself, without LVM.
I also don't know better solution so far... Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
Le 02/04/2014 13:16, Vojtěch Zeisek a écrit :
I also don't know better solution so far... Vojtěch
may be ask why use so many encrypted partitions? Specially why a system partition. I don't say it's not a good practice (I do not encrypt anything myself), but only that is nobody did wonder, may be there are different mean of protection (boot passwd?). I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
Le 02/04/2014 13:16, Vojtěch Zeisek a écrit :
I also don't know better solution so far... Vojtěch
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition. I'm not aware of malware injected inside my system when I'm sleeping. :-) Just encrypted root together with swap is IMHO good practice and I like it. :-)
I don't say it's not a good practice (I do not encrypt anything myself), but only that is nobody did wonder, may be there are different mean of protection (boot passwd?).
I'm used to encrypt all mobile devices. I have there private data and if I lost it or it is stolen, no one can access the data...
I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd
Interesting. It should be possible. Just might be too hard to set it up...
jdd
All the best, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition.
Actually, you do need to encrypt swap: it can contains copies of part of RAM, so "the bad guy" has access to those contents in clear if he gets his hands on the machine. The situation is worse with an hibernated machine, because the entire ram contents are in there. One of the things found in ram is precisely the disk password. Same thing goes for all the temporary spaces, which is the main reason to cipher the root filesystem. It may not be the case when using a tmpfs, but programs store many things in /var and /tmp which could perhaps give information to "the bad guys". Remember that a tmpfs spills over to swap when needed, AFAIK)
I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd
Interesting. It should be possible. Just might be too hard to set it up...
Yes, that's one of the methods described some years ago by a user on the security mail list. That was before systemd. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne St 2. dubna 2014 14:17:57, Carlos E. R. napsal(a):
On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition.
Actually, you do need to encrypt swap: it can contains copies of part of RAM, so "the bad guy" has access to those contents in clear if he gets his hands on the machine. The situation is worse with an hibernated machine, because the entire ram contents are in there. One of the things found in ram is precisely the disk password.
Of course, but with SSD disk and big RAM You don't need swap at all (well, there is discussion about it, but still). That is what I mean. No swap and temporary directories only in RAM.
Same thing goes for all the temporary spaces, which is the main reason to cipher the root filesystem. It may not be the case when using a tmpfs, but programs store many things in /var and /tmp which could perhaps give information to "the bad guys".
Remember that a tmpfs spills over to swap when needed, AFAIK)
Yes, but without swap partition and with /tmp in RAM it shouldn't be so risky. The problem is /var...
I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd
Interesting. It should be possible. Just might be too hard to set it up...
Yes, that's one of the methods described some years ago by a user on the security mail list. That was before systemd.
Do You think it wouldn't work with systemd? V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 02/04/14 14:18, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:17:57, Carlos E. R. napsal(a):
On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition.
Actually, you do need to encrypt swap: it can contains copies of part of RAM, so "the bad guy" has access to those contents in clear if he gets his hands on the machine. The situation is worse with an hibernated machine, because the entire ram contents are in there. One of the things found in ram is precisely the disk password.
Of course, but with SSD disk and big RAM You don't need swap at all (well, there is discussion about it, but still). That is what I mean. No swap and temporary directories only in RAM.
Same thing goes for all the temporary spaces, which is the main reason to cipher the root filesystem. It may not be the case when using a tmpfs, but programs store many things in /var and /tmp which could perhaps give information to "the bad guys".
Remember that a tmpfs spills over to swap when needed, AFAIK)
Yes, but without swap partition and with /tmp in RAM it shouldn't be so risky. The problem is /var...
You can easily set up an unencrypted root on the SSD and an encrypted LVM in the HDD with partitions for /home, /var, /tmp, swap and anything else that needs the security. It's worthwhile having the volatile directories mounted from a HDD to help get the maximum life from the SSD anyway. £0.02 Dylan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a):
Dne St 2. dubna 2014 14:17:57, Carlos E. R. napsal(a):
On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a): You can easily set up an unencrypted root on the SSD and an encrypted LVM in the HDD with partitions for /home, /var, /tmp, swap and anything else that needs the security. It's worthwhile having the volatile
On 02/04/14 14:18, Vojtěch Zeisek wrote: directories mounted from a HDD to help get the maximum life from the SSD anyway.
Good idea. Also, if it is not possible to encrypt directly the / partition, it might be possible to create two encrypted LVMs on both disks. I know it might be too complex, but it might work well. Or not? Maybe I'd have to try, but I don't want to spent whole day by trials leading to nowhere...
Dylan
Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 15:51, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a):
Good idea. Also, if it is not possible to encrypt directly the / partition, it might be possible to create two encrypted LVMs on both disks. I know it might be too complex, but it might work well. Or not? Maybe I'd have to try, but I don't want to spent whole day by trials leading to nowhere...
No, the problem is that it means two separate encrypted spaces. Two password prompts. Wait... got an idea. You can tell YaST to install, with full system encryption, on the first disk only. YaST will insist on doing this with LVM, even if there is only one partition inside - I think. After this is done and working, you can add new partitions on the second disk, encrypted, with LVM or not, as you wish. Home could be there. You would get password prompts for each space, unless plymouth handles this better. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne St 2. dubna 2014 16:17:02, Carlos E. R. napsal(a):
On 2014-04-02 15:51, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a):
Good idea. Also, if it is not possible to encrypt directly the / partition, it might be possible to create two encrypted LVMs on both disks. I know it might be too complex, but it might work well. Or not? Maybe I'd have to try, but I don't want to spent whole day by trials leading to nowhere...
No, the problem is that it means two separate encrypted spaces. Two password prompts.
Yes, but it should work. Little bit uncomfortable, but working...
Wait... got an idea.
You can tell YaST to install, with full system encryption, on the first disk only. YaST will insist on doing this with LVM, even if there is only one partition inside - I think.
After this is done and working, you can add new partitions on the second disk, encrypted, with LVM or not, as you wish. Home could be there.
You would get password prompts for each space, unless plymouth handles this better.
Yes, but isn't it practically same solution as described previously? Two separated spaces, two enterings of pass-phrase... V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 16:42, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 16:17:02, Carlos E. R. napsal(a):
Yes, but isn't it practically same solution as described previously? Two separated spaces, two enterings of pass-phrase...
Yes, What I describe is a method to trick YaST into doing it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 02/04/14 15:17, Carlos E. R. wrote:
On 2014-04-02 15:51, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a):
Good idea. Also, if it is not possible to encrypt directly the / partition, it might be possible to create two encrypted LVMs on both disks. I know it might be too complex, but it might work well. Or not? Maybe I'd have to try, but I don't want to spent whole day by trials leading to nowhere...
No, the problem is that it means two separate encrypted spaces. Two password prompts.
Wait... got an idea.
You can tell YaST to install, with full system encryption, on the first disk only. YaST will insist on doing this with LVM, even if there is only one partition inside - I think.
After this is done and working, you can add new partitions on the second disk, encrypted, with LVM or not, as you wish. Home could be there.
You would get password prompts for each space, unless plymouth handles this better.
Isn't the whole point of LVM that you can add space to it dynamically... surely, if you set up an LV on the whole SSD for root then subsequently add the HDD to it, it will be part of the same encrypted LV and you can add a /home partition and ones to move /var /swap etc to? Dx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne St 2. dubna 2014 15:49:13, Dylan napsal(a):
On 02/04/14 15:17, Carlos E. R. wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a): No, the problem is that it means two separate encrypted spaces. Two
On 2014-04-02 15:51, Vojtěch Zeisek wrote: password prompts.
Wait... got an idea.
You can tell YaST to install, with full system encryption, on the first disk only. YaST will insist on doing this with LVM, even if there is only one partition inside - I think.
After this is done and working, you can add new partitions on the second disk, encrypted, with LVM or not, as you wish. Home could be there.
You would get password prompts for each space, unless plymouth handles this better.
Isn't the whole point of LVM that you can add space to it dynamically... surely, if you set up an LV on the whole SSD for root then subsequently add the HDD to it, it will be part of the same encrypted LV and you can add a /home partition and ones to move /var /swap etc to?
Might be I don't understand it well, but You create LV and then add another space. Will system (root) reside only on the SSD? I think LV will use given space for it, but regardless physical device underlaying it. Or not? I mean, I wish to keep root on SSD and /home on HDD and one LVM would break that. No?
Dx
V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On Wed, 2014-04-02 at 17:08 +0200, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 15:49:13, Dylan napsal(a):
On 02/04/14 15:17, Carlos E. R. wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a): No, the problem is that it means two separate encrypted spaces. Two
On 2014-04-02 15:51, Vojtěch Zeisek wrote: password prompts.
Wait... got an idea.
You can tell YaST to install, with full system encryption, on the first disk only. YaST will insist on doing this with LVM, even if there is only one partition inside - I think.
After this is done and working, you can add new partitions on the second disk, encrypted, with LVM or not, as you wish. Home could be there.
You would get password prompts for each space, unless plymouth handles this better.
Isn't the whole point of LVM that you can add space to it dynamically... surely, if you set up an LV on the whole SSD for root then subsequently add the HDD to it, it will be part of the same encrypted LV and you can add a /home partition and ones to move /var /swap etc to?
Might be I don't understand it well, but You create LV and then add another space. Will system (root) reside only on the SSD? I think LV will use given space for it, but regardless physical device underlaying it. Or not? I mean, I wish to keep root on SSD and /home on HDD and one LVM would break that. No?
In that case, you should create two volume groups, one for the HDD and another for the sdd, During boot time, you will be prompted for the luks phrase for the system area. For the home-area, you have multiple options: Either store the luks-phrase into a file (stored on an already protected system area). Or mount the user area only during logging in, and use the pam-mechanism to unlock your home-area..... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, thank You! Dne St 2. dubna 2014 23:34:36, Hans Witvliet napsal(a):
On Wed, 2014-04-02 at 17:08 +0200, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 15:49:13, Dylan napsal(a):
On 02/04/14 15:17, Carlos E. R. wrote:
On 2014-04-02 15:51, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:42:07, Dylan napsal(a): In that case, you should create two volume groups, one for the HDD and another for the sdd, During boot time, you will be prompted for the luks phrase for the system area.
For the home-area, you have multiple options: Either store the luks-phrase into a file (stored on an already protected system area). Or mount the user area only during logging in, and use the pam-mechanism to unlock your home-area.....
I like both ideas, but the first one more. Do You have some more detailed description how to do it practically? Greetings, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 16:49, Dylan wrote:
On 02/04/14 15:17, Carlos E. R. wrote:
Isn't the whole point of LVM that you can add space to it dynamically... surely, if you set up an LV on the whole SSD for root then subsequently add the HDD to it, it will be part of the same encrypted LV and you can add a /home partition and ones to move /var /swap etc to?
AFAIK, it works in layers. The first layer, it is the encrypted space. On top of that, you set up the LVM. You can increase the LVM, yes, but you can not spread the encrypted space on two disks. If it is a partition, you can resize it, but not join two partitions on two disks. The LVM is not on top of the hardware in this case, it is over another software layer. I know little of LVM, but I understand that you could join the two encrypted spaces into a single LVM, yes. But what for? You'd get the prompt for two passwords, for two different encrypted spaces... That's the problem. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2014-04-02 13:16, Vojtěch Zeisek wrote:
Hello
Dne St 2. dubna 2014 13:02:39, Carlos E. R. napsal(a):
Yes. And as far as I know, there is now way how to keep root only on certain physical device. That is the point. I wonder how this works in brtfs (I don't know much about this FS), as it has LVM functionality build in.
Dunno.
I don't use this setup because I do not like LVM. In that case, the method is having separate partitions instead. Few people have reported using full system encryption without LVM, with separate partitions (I can not locate a current full description of the procedure), and one of the problems mentioned (besides YaST being unable to set it up, and possibly difficulties with system upgrade?), is that the boot system asks the password for each partition, even if they are the same. I believe there is a bug on this. I heard that plymouth can handle that situation, but as I always remove it, I can't say for sure.
I wouldn't expect big issues with such setup, beside need for repeated enter of pass-phrase.
I do not know of an easy way to encrypt the root filesystem right from installation, because YaST will not do it. The method I know is: 1) Install a normal root system, not encrypted, with a separate boot partition, and perhaps an encrypted home partition. The physical disks used are irrelevant, one or twenty. 2) Create a new encrypted partition. 3) Copy the clear root partition files to the deciphered container. 4) Somehow boot that encrypted root partition. I'm stuck on (4). Once this is done, I do not know if the system will be upgradeable, or the entire procedure will have to be repeated. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne St 2. dubna 2014 14:09:30, Carlos E. R. napsal(a):
On 2014-04-02 13:16, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:02:39, Carlos E. R. napsal(a):
I don't use this setup because I do not like LVM. In that case, the method is having separate partitions instead. Few people have reported using full system encryption without LVM, with separate partitions (I can not locate a current full description of the procedure), and one of the problems mentioned (besides YaST being unable to set it up, and possibly difficulties with system upgrade?), is that the boot system asks the password for each partition, even if they are the same. I believe there is a bug on this. I heard that plymouth can handle that situation, but as I always remove it, I can't say for sure.
I wouldn't expect big issues with such setup, beside need for repeated enter of pass-phrase.
I do not know of an easy way to encrypt the root filesystem right from installation, because YaST will not do it. The method I know is:
Hm :-( I thought this would be relatively easy but uncomfortable solution. Then it would probably require a lot of trials to find the best solution...
1) Install a normal root system, not encrypted, with a separate boot partition, and perhaps an encrypted home partition. The physical disks used are irrelevant, one or twenty. 2) Create a new encrypted partition. 3) Copy the clear root partition files to the deciphered container. 4) Somehow boot that encrypted root partition.
I'm stuck on (4).
Once this is done, I do not know if the system will be upgradeable, or the entire procedure will have to be repeated.
It doesn't seem to me as the best way, but OK... Regards, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-02 15:25, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 14:09:30, Carlos E. R. napsal(a):
It doesn't seem to me as the best way, but OK...
Notice that I say that I'm stuck on #4, I have not managed to get this setup working. I'm testing this on a virtual machine, to find out how to do it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am Mittwoch, 2. April 2014, 12:00:50 schrieb Vojtěch Zeisek:
Hello, I'm used to use encrypted root (using LVM containing root and swap) on my notebook. I just added mSATA disk to it, so that I'd like to have / on mSATA SSD and /home on older slower HDD. And I wish it encrypted. So how to do it? [...]
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chaining-... HTH Jan -- Get yours while there's still some left. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Jan Ritzerfeld wrote:
Am Mittwoch, 2. April 2014, 12:00:50 schrieb Vojtěch Zeisek:
Hello, I'm used to use encrypted root (using LVM containing root and swap) on my notebook. I just added mSATA disk to it, so that I'd like to have / on mSATA SSD and /home on older slower HDD. And I wish it encrypted. So how to do it? [...]
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chaining-...
Nice! Definitely, I'm going to do something like that.
HTH Jan
All the best, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-05 18:46, Vojtěch Zeisek wrote:
Jan Ritzerfeld wrote:
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chaining-...
Nice! Definitely, I'm going to do something like that.
Yes, I agree, but the problem in openSUSE is how to encrypt the root partition without using LVM. YaST only supports the scenario with LVM. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne Ne 6. dubna 2014 00:24:52, Carlos E. R. napsal(a):
On 2014-04-05 18:46, Vojtěch Zeisek wrote:
Jan Ritzerfeld wrote:
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chaini ng-with-dm-crypt-luks/> Nice! Definitely, I'm going to do something like that.
Yes, I agree, but the problem in openSUSE is how to encrypt the root partition without using LVM. YaST only supports the scenario with LVM.
Well, I don't have problem with using LVM. I wonder, how will it be with Btrfs in 13.2. All the best, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-06 10:37, Vojtěch Zeisek wrote:
Dne Ne 6. dubna 2014 00:24:52, Carlos E. R. napsal(a):
On 2014-04-05 18:46, Vojtěch Zeisek wrote:
Jan Ritzerfeld wrote:
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chaini ng-with-dm-crypt-luks/> Nice! Definitely, I'm going to do something like that.
Yes, I agree, but the problem in openSUSE is how to encrypt the root partition without using LVM. YaST only supports the scenario with LVM.
Well, I don't have problem with using LVM.
Ah, well :-) But you see, what the link describes is a method to have the entire system, several partitions and disks, encrypted, including root, without LVM, and giving the password just once. This is possible on debian, but not on openSUSE (via YaST, at least).
I wonder, how will it be with Btrfs in 13.2.
If you use several partitions, no change, the problem is the same. If you use the native btrfs way of separating spaces, instead of partitions, then very different. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am Sonntag, 6. April 2014, 00:24:52 schrieb Carlos E. R.:
On 2014-04-05 18:46, Vojtěch Zeisek wrote:
Jan Ritzerfeld wrote:
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chai ning-with-dm-crypt-luks/> Nice! Definitely, I'm going to do something like that.
Yes, I agree, but the problem in openSUSE is how to encrypt the root partition without using LVM. YaST only supports the scenario with LVM.
Well, the fact that root is already encrypted using LVM does not prevent you from encrypting an additional HDD without LVM that gets automatically mounted on boot. Gruß Jan -- A fool and his money are soon parted. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-04-07 00:00, Jan Ritzerfeld wrote:
Am Sonntag, 6. April 2014, 00:24:52 schrieb Carlos E. R.:
On 2014-04-05 18:46, Vojtěch Zeisek wrote:
Jan Ritzerfeld wrote:
I did something similar to http://danielkinsman.wordpress.com/2013/07/09/full-disk-encryption-chai
ning-with-dm-crypt-luks/> Nice! Definitely, I'm going to do something like that.
Yes, I agree, but the problem in openSUSE is how to encrypt the root partition without using LVM. YaST only supports the scenario with LVM.
Well, the fact that root is already encrypted using LVM does not prevent you from encrypting an additional HDD without LVM that gets automatically mounted on boot.
Again: the problem is how to encrypt "/" without using LVM. YaST can not, other distros can. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNB32kACgkQtTMYHG2NR9V8agCgixXV/nTuf3ViGQeSh6dBtc6n eW8An1ReydKzm1r18AuvyJ5eSgbKQQAg =KQ2Z -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Montag, 7. April 2014, 01:12:41 schrieb Carlos E. R.:
[...] Again: the problem is how to encrypt "/" without using LVM. YaST can not, other distros can.
Sorry, this was not obvious from the original posting. I understand that an LVM spanning both the SSD and HDD would not be an option. However, fully encrypting the SSD (root and swap) with LVM and simply adding the HHD separately as home would have worked IMHO. Gruß Jan -- Life is tough, life is tougher when you're stupid. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne Po 7. dubna 2014 21:16:18, Jan Ritzerfeld napsal(a):
Am Montag, 7. April 2014, 01:12:41 schrieb Carlos E. R.:
[...]
Sorry, this was not obvious from the original posting. I understand that an LVM spanning both the SSD and HDD would not be an option. However, fully encrypting the SSD (root and swap) with LVM and simply adding the HHD separately as home would have worked IMHO.
Yes, I have it like that right now. It works fine. I'm just trying to figure out how to securely store password for the second disk (hdd, home) on the first disk (encrypted LVM with root and swap) and how to unlock it, to avoid need to enter two passphrases during the boot...
Gruß Jan
Bye, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-04-07 21:16, Jan Ritzerfeld wrote:
Am Montag, 7. April 2014, 01:12:41 schrieb Carlos E. R.:
[...] Again: the problem is how to encrypt "/" without using LVM. YaST can not, other distros can.
Sorry, this was not obvious from the original posting. I understand that an LVM spanning both the SSD and HDD would not be an option. However, fully encrypting the SSD (root and swap) with LVM and simply adding the HHD separately as home would have worked IMHO.
Ok, I should clarify. It is not a problem for the OP, he is happy with using LVM for the root system or the first disk. It is me who wants to do the same without, as in the link you posted from debian. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
participants (7)
-
Carlos E. R.
-
Carlos E. R.
-
Dylan
-
Hans Witvliet
-
Jan Ritzerfeld
-
jdd
-
Vojtěch Zeisek