On 5 December 2015 at 19:50, Bruno Friedmann <bruno@ioda-net.ch> wrote:
On Thursday 26 November 2015 20.49:32 Andrei Borzenkov wrote:
26.11.2015 20:38, Robby Engelmann пишет:
sorry, I overlooked that...
boot is on ext4. root, home and swap is a lukscrypt lvm setup with root btrfs and home xfs.
Boot from snapshot is offered only if /boot is on btrfs (actually check is probably wrong, it should check that /boot is on the same filesystem and subvolume as /, but that is another matter).
Then this is a huge limitation on what we offer. TW is advertised with the rollback feature, as a recover measure.
In the new world of sensitive information and privacy, this is a really a problem. People that need to have / encrypted for whatever reason (they are all valid: list of package, database content etc) are just left on the side.
What kind of effort we can do to have grub2 asking luks keypass when starting ? and then being able to decrypt the snapshots ...
Can't be done In order for Boot to Snapshot to work, Grub needs to be able to read /.snapshots on the root filesystem - this is where the snapshots are stored after all Grub can't do that if / is encrypted - The only way that would be theretically possible is if you instructed Grub to decrypt root BEFORE showing you the boot menu (this is an option I've seen done in the past) But in order for that to work, Grub needs to be in it's own partition outside of the / root filesystem and as soon as you do that, you are NOT going to get the full benefit of snapshot/rollback - /boot isn't on your root filesystem, you wont be able to rollback any bootloader/initrd related problems - which is precisely the sort of thing that boot to snapshot is *NEEDED* for (otherwise you could just boot normally and snapper rollback normally) So, yes, this is a chicken and egg problem - if you come up with a way of Grub decrypting itself and the snapshots so it can show you snapshots, that would be awesome, but I do not think that's feasible Encryption, sadly, comes at costs. Performance is one, the removal of the boot to snapshot feature is another -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org