On 6 December 2015 at 13:59, Andrei Borzenkov
06.12.2015 15:47, Richard Brown пишет:
On 6 December 2015 at 07:23, Andrei Borzenkov
wrote: 06.12.2015 01:49, Richard Brown пишет:
On 5 December 2015 at 19:50, Bruno Friedmann
wrote: On Thursday 26 November 2015 20.49:32 Andrei Borzenkov wrote:
26.11.2015 20:38, Robby Engelmann пишет: > sorry, I overlooked that... > > boot is on ext4. root, home and swap is a lukscrypt lvm setup with root btrfs > and home xfs. >
Boot from snapshot is offered only if /boot is on btrfs (actually check is probably wrong, it should check that /boot is on the same filesystem and subvolume as /, but that is another matter).
Then this is a huge limitation on what we offer. TW is advertised with the rollback feature, as a recover measure.
In the new world of sensitive information and privacy, this is a really a problem. People that need to have / encrypted for whatever reason (they are all valid: list of package, database content etc) are just left on the side.
What kind of effort we can do to have grub2 asking luks keypass when starting ? and then being able to decrypt the snapshots ...
LUKS support was added to GRUB2 more than 4 years ago.
Can't be done
Please get your facts right.
My facts are correct, but were not necessarily totally complete ;)
It's been pointed out to me that in fact you can, in the advanced partitioner only, set a btrfs root filesystem to encrypted and Grub2 will be able to boot it.
Really? That's news to me. Last time I looked into it it was not possible to tell YaST to create filesystem on encrypted partition. I need to download latest snapshot again. It's good if it has been fixed.
I did not know that..probably because it isn't clearly documented anywhere and the LVM+Crypt method is the one we DO have documented, is obvious in YaST, and is what we recommend and test for everyone because it's documented and obvious in YaST ;) My facts are 'true' from the perspective of what is generally accepted as the 'supported' mechanism for full-disk-encryption in openSUSE.
You stated that having /boot/grub on encrypted container was not possible. That is what I replied to. Not the ability to install everything else encrypted.
I stated a few things - I stated that /boot/grub on an encrypted container was not possible, yes - and this is true - the default/readily available LVM+Crypt solution created by YaST has a separate, unencrypted /boot. The fact you can do something differently manually is a fair point, but what I said was certainly true from the 'this is what YaST does for you' perspective :) I also stated that boot-to-snapshot is not useful/possible when grub (/boot) is in a different partition than the / root filesystem - this is also true, and because our readily available LVM+crypt option has a seperate /boot, this renders boot-to-snapshot with LVM+Crypt both broken and useless.
Installing on encrypted LVM has been possible for quite some time (and a lot of people do it and we even fix bug reports related to it). What is missing is easy to use YaST support to install on simple encrypted partition without jumping through manual encrypted LVM creation hoops. Given demand, it should really be exposed as check box on top level partition proposal.
Encryption + LVM is a 'top level partition proposal' already https://openqa.opensuse.org/tests/103311/modules/partitioning_lvm/steps/2
Good. So we finally have it. Of course, using LVM just adds yet another layer of complication for those people who do not need it.
We've had it since openSUSE 11.2 , there is nothing 'finally' about it. It was implemented in 2009 as Feature #305633 https://features.opensuse.org/305633 I've been ticking the tickbox for it in YaST and using it on all of my laptops since at least 11.4
It's Encryption without LVM which we need to be at the same level of availability in order to support the Boot-To-Snapshot feature.
Sorry? And why exactly is Boot-To-Snapshot is not possible using encrypted LVM, i.e. what we have today?
Because of the reasons I've already explained - Boot To Snapshot makes no practical sense when /boot is separate from /, and in the case of /boot is separate from an encrypted / held in an LVM group, Grub cannot read any of the snapshots in the encrypted LVM group, and therefore Boot To Snapshot is not just useless, but broken.
Oh, really? Or do you again mean "YaST allows it only in GPT"? Because GRUB2 obviously has no issues doing it on MSDOS.
In order to do btrfs + encryption with a root filesystem, Grub requires the additional space available in a GPT partition table type, in order to install a second stage loader which makes it possible to decrypt the encrypted btrfs filesystem I've been told this by SUSE's Senior Architect for SLES, who knows more about this stuff in his little finger than anyone else I know, so if he says that you require GPT in order to do do (non-LVM) btrfs with Encryption, then I absolutely trust what he says to be true. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org