On 6 December 2015 at 07:23, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
06.12.2015 01:49, Richard Brown пишет:
On 5 December 2015 at 19:50, Bruno Friedmann <bruno@ioda-net.ch> wrote:
On Thursday 26 November 2015 20.49:32 Andrei Borzenkov wrote:
26.11.2015 20:38, Robby Engelmann пишет:
sorry, I overlooked that...
boot is on ext4. root, home and swap is a lukscrypt lvm setup with root btrfs and home xfs.
Boot from snapshot is offered only if /boot is on btrfs (actually check is probably wrong, it should check that /boot is on the same filesystem and subvolume as /, but that is another matter).
Then this is a huge limitation on what we offer. TW is advertised with the rollback feature, as a recover measure.
In the new world of sensitive information and privacy, this is a really a problem. People that need to have / encrypted for whatever reason (they are all valid: list of package, database content etc) are just left on the side.
What kind of effort we can do to have grub2 asking luks keypass when starting ? and then being able to decrypt the snapshots ...
LUKS support was added to GRUB2 more than 4 years ago.
Can't be done
Please get your facts right.
My facts are correct, but were not necessarily totally complete ;) It's been pointed out to me that in fact you can, in the advanced partitioner only, set a btrfs root filesystem to encrypted and Grub2 will be able to boot it. I did not know that..probably because it isn't clearly documented anywhere and the LVM+Crypt method is the one we DO have documented, is obvious in YaST, and is what we recommend and test for everyone because it's documented and obvious in YaST ;) My facts are 'true' from the perspective of what is generally accepted as the 'supported' mechanism for full-disk-encryption in openSUSE.
Installing on encrypted LVM has been possible for quite some time (and a lot of people do it and we even fix bug reports related to it). What is missing is easy to use YaST support to install on simple encrypted partition without jumping through manual encrypted LVM creation hoops. Given demand, it should really be exposed as check box on top level partition proposal.
Encryption + LVM is a 'top level partition proposal' already https://openqa.opensuse.org/tests/103311/modules/partitioning_lvm/steps/2 It's Encryption without LVM which we need to be at the same level of availability in order to support the Boot-To-Snapshot feature. This is easier said than done - I can imagine the screams of yast-storage developers the second they read that people are suggesting changes to the storage proposal algorithms :) and there are actually a number of dependencies that prevent it from being as simple as you make out here For starters, grub can only boot an encrypted btrfs root if the disk has a GPT disk label, not MSDOS YaST's simple partitioner does not change with the disk label type by default, so whatever implementation would have to probe the disk more aggressively than currently, possibly change the disk more aggressively than currently, possibly offer the user more options than currently..all the while trying to be nice and 'simple' for people to use Meanwhile, it's simpler to say 'YaST doesn't really do that' but at least I can now add "but you can do it manually in the advanced partitioner if you know what you're doing" :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org