| Bug ID | 1137056 |
|---|---|
| Summary | Automatically add a custom generated key to initrd when installing to LVM/LUKS |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.1 |
| Hardware | x86-64 |
| OS | Other |
| Status | NEW |
| Severity | Enhancement |
| Priority | P5 - None |
| Component | Installation |
| Assignee | yast2-maintainers@suse.de |
| Reporter | alexander.shchadilov@gmail.com |
| QA Contact | jsrain@suse.com |
| Found By | --- |
| Blocker | --- |
If an encrypted system partition is configured during installation openSUSE puts /boot inside of it. While this scheme has certain advantages from the security side of things, it also brings an inconvenience of entering LUKS password twice. This inconvenience can be circumvented through adding a custom key that is used by system to access encrypted partitions; thus GRUB becomes the only software that asks for password. openSUSE wiki: https://en.opensuse.org/SDB:Encrypted_root_file_system http://web.archive.org/web/20190601195245/https://en.opensuse.org/SDB:Encrypted_root_file_system Arch wiki: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) http://web.archive.org/web/20190522050457/https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system So it is a feature request for an automated procedure during OS install. There are no security drawbacks AFAIK.