06.12.2015 15:47, Richard Brown пишет:
On 6 December 2015 at 07:23, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
06.12.2015 01:49, Richard Brown пишет:
On 5 December 2015 at 19:50, Bruno Friedmann <bruno@ioda-net.ch> wrote:
On Thursday 26 November 2015 20.49:32 Andrei Borzenkov wrote:
26.11.2015 20:38, Robby Engelmann пишет:
sorry, I overlooked that...
boot is on ext4. root, home and swap is a lukscrypt lvm setup with root btrfs and home xfs.
Boot from snapshot is offered only if /boot is on btrfs (actually check is probably wrong, it should check that /boot is on the same filesystem and subvolume as /, but that is another matter).
Then this is a huge limitation on what we offer. TW is advertised with the rollback feature, as a recover measure.
In the new world of sensitive information and privacy, this is a really a problem. People that need to have / encrypted for whatever reason (they are all valid: list of package, database content etc) are just left on the side.
What kind of effort we can do to have grub2 asking luks keypass when starting ? and then being able to decrypt the snapshots ...
LUKS support was added to GRUB2 more than 4 years ago.
Can't be done
Please get your facts right.
My facts are correct, but were not necessarily totally complete ;)
It's been pointed out to me that in fact you can, in the advanced partitioner only, set a btrfs root filesystem to encrypted and Grub2 will be able to boot it.
Really? That's news to me. Last time I looked into it it was not possible to tell YaST to create filesystem on encrypted partition. I need to download latest snapshot again. It's good if it has been fixed.
I did not know that..probably because it isn't clearly documented anywhere and the LVM+Crypt method is the one we DO have documented, is obvious in YaST, and is what we recommend and test for everyone because it's documented and obvious in YaST ;) My facts are 'true' from the perspective of what is generally accepted as the 'supported' mechanism for full-disk-encryption in openSUSE.
You stated that having /boot/grub on encrypted container was not possible. That is what I replied to. Not the ability to install everything else encrypted.
Installing on encrypted LVM has been possible for quite some time (and a lot of people do it and we even fix bug reports related to it). What is missing is easy to use YaST support to install on simple encrypted partition without jumping through manual encrypted LVM creation hoops. Given demand, it should really be exposed as check box on top level partition proposal.
Encryption + LVM is a 'top level partition proposal' already https://openqa.opensuse.org/tests/103311/modules/partitioning_lvm/steps/2
Good. So we finally have it. Of course, using LVM just adds yet another layer of complication for those people who do not need it.
It's Encryption without LVM which we need to be at the same level of availability in order to support the Boot-To-Snapshot feature.
Sorry? And why exactly is Boot-To-Snapshot is not possible using encrypted LVM, i.e. what we have today?
This is easier said than done - I can imagine the screams of yast-storage developers the second they read that people are suggesting changes to the storage proposal algorithms :) and there are actually a number of dependencies that prevent it from being as simple as you make out here
Where have I said it is simple to implement?
For starters, grub can only boot an encrypted btrfs root if the disk has a GPT disk label, not MSDOS
Oh, really? Or do you again mean "YaST allows it only in GPT"? Because GRUB2 obviously has no issues doing it on MSDOS.
YaST's simple partitioner does not change with the disk label type by default, so whatever implementation would have to probe the disk more aggressively than currently, possibly change the disk more aggressively than currently, possibly offer the user more options than currently..all the while trying to be nice and 'simple' for people to use
Meanwhile, it's simpler to say 'YaST doesn't really do that' but at least I can now add "but you can do it manually in the advanced partitioner if you know what you're doing" :)
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org