Hallo, Am Sonntag, 28. November 2021, 13:05:25 CET schrieb Fabian Vogt:
See https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the _passphrase_twice to avoid the second entry. The first is still done with the wrong keyboard layout though.
OK, I fixed it # cryptsetup luksAddKey /dev/sda1 and add the password with the EN replacements ;-) With your description (I used the german one ;-) ) https://de.opensuse.org/SDB:Verschlüsseltes_root_file_system Was it really easy to add a key for each of my 3 encrypted partitions. (root, swap and home)
You can upgrade with fairly low risk (cryptsetup luksConvert works both ways), but the approach in the wiki article requires that the /boot partition is not encrypted, which is likely to require bigger changes on your system.
OK, read it now :-( The shift of the /boot in a dedicated filesystem was not a big deal.
It should also be noted that the /boot contents are not verified during boot (just the kernel through secure boot, if enabled), so it doesn't really provide any protection against physical access.
But this is not acceptable at all.
Question, is there any easy possibility to check if the TPM2 is properly detected at Linux? I searched on it, but no finding till now.
cat /sys/class/tpm/tpm0/tpm_version_major should print "2".
OK, is correct (sowing 2). But this don't help due to the security restriction :-( But it will be greate, if the automatic on the installation, will implement it automaticly (an also translate the keyboard key issues like z <-> y). The only missing feature, is now the possiblity to use an available security solution (TPM 2.0, included chip-card reader, Nitrokey 3A/3C NFC or similar else). Many Thanks :-) Ulf PS: Written from Fujitsu LifeBook U939X and openSUSE Tumbleweed https://lug-vs.org/lugvswiki/index.php?title=Hardware-Steckbriefe#Fujitsu_Li.... 28von_Ulf.29