On Thu, Mar 26, 2015 at 3:52 PM, Bjoern Voigt
wrote: Without a LVM volume group I can not use "/" as a mount point for LVM logical volumes. I'm not sure what this means. If you select LUKS encryption and formatting (EXT 4 ...) for a filesystem in YaST, it refuses mountpoints like / and /root with an error message. (In theory it's possible to use LUKS encryption for "/" and "/home" etc. filesystems separately. Some argue, that this causes multiple password inputs. Buts this is not true, because some scripts can handle this with only one password input, if the passwords fits for all filesystems. But YaST refuses such setups. It's not clear, if a user can setup such a system manually. Probably he will see problems with Systemd, Dracut etc. and with YaST distribution upgrades.) I guess I understand no / encryption if a separate non-encrypted /boot isn't created. It's atypical for distros to support setting up GRUB to support LUKS unlock to load kernel and initramfs. But I don't think it's reasonable to make you use LVM just to get (mostly) full disk encryption, it should just encrypt each partition and use the same passphrase.
Bug/feature request. Yes, /boot must be unencrypted. But unfortunately in openSUSE "/" can't be encrypted without LVM even if there is a separate /boot
Chris Murphy wrote: partition. I already discussed this issue with developers here some time ago. It's probably something, which should be done sometime. But I also don't know a distribution which can handle full-disk encryption without LVM. I don't know an existing feature request for this. But I wrote a feature request for the other issue. Please support this or write comments: Add support for unlocking LUKS root volumes during boot process via SSH https://features.opensuse.org/318809
Encryption for the RAID 5 device /dev/md0 works. But this kind of setup may cause problems if I want to extend the LVM volume group later with additional RAID devices.) Anything with layers increases the chances of some problem happening, including user error.
You're proposing this: drive > md > luks > pv/vg > lv > fs growing means growing md, growing luks, extending PV, extending VG, resizing LV, resizing FS.
or this:
drive > luks > md > pv/vg > lv > fs growing means creating a new LUKS device, growing md, extending PV, extending VG, resizing LV, resizing FS. I know the first one. This is the setup, I want to use. And if LUKS encryption of LVM PVs is right, I already managed it correctly.
But I do not know the second setup. Is it possible with YaST? (I do not see an option to encrypt the whole drive. Wouldn't this cause problems with GPT partitioning / dual boot and with Grub2 booting?) Sorry. Insert "partition" between drive > luks. And I haven't actually tested it in yast, but it's a valid layout to separately encrypt a partition on each drive, and then each resulting identically sized dmcrypt device is made an md member device, then the md array is made a PV, and so on. Now I have done this slightly different. I configured Host-Raid/Fake-RAID on one server. I can manage the RAID with "dmraid" and the BIOS. openSUSE 13.2 handled this without problems during installation. On top of the Fake-RAID I partitioned the RAID device like a single hard disk.
Thanks for the ZFS and Btrfs tips. Btrfs would be an option. I am not sure about the stability and maintainability of Btrfs in openSUSE 13.2. I think, I will wait until next openSUSE release with this. It's a reasonable precaution, the 13.2 kernel is still on 3.16.x so I'd hold off on Btrfs raid5 until it gets a bit more testing. In any case, backups! You are right.
Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org