Lukas Kucharczyk
Is embedding the keyfile in initrd not an option for full-disk encryption to avoid entering the password twice?
It is, but the default installer doesn't support this at least as far as I know. I have heard that calamares does (https://calamares.io/), but have never verified whether that is true or if it actually works (skimming their docs looks promising though).
I also remember reading that LUKS2 in GRUB [1] should help with the double password entry, too, but maybe I remember incorrectly, because I cannot find the information now.
[1] https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd2...
Best regards
Lukas Kucharczyk
________________________________________ From: Axel Braun
Sent: Wednesday, March 18, 2020 10:00 AM To: opensuse-factory@opensuse.org Subject: Re: [opensuse-factory] Will openSUSE adopt systemd-homed? Am Mittwoch, 18. März 2020, 09:31:01 CET schrieb Ludwig Nussel:
Am 17.03.20 um 20:57 schrieb Axel Braun:
[...] I never got why to encrypt just disk when there are bunch of data leaking via /tmp.
https://bugzilla.opensuse.org/show_bug.cgi?id=1166005 is a good reason
to just
encrypt /home
You can put /boot back on a separate partition. That way you still have everything except kernel and initrd encrypted so accidental data leak via tmp or swap is still prevented. There was a decision in an unfortunately private SLE feature request some years ago (https://fate.suse.com/320215) to ignore the inconveniences of /boot on / in favor of working snapshots unfortunately.
As Neil Rickert pointed out in between in the above bugreport, /boot on a separate (unencrypted) partition is not recommended together with btrfs. So looks like one can have an encrypted root partition AND btrfs AND 20s get- the-coffee time on each boot, or separate /boot, encrypted root w/o btrfs (and roolback) and a quick boot time. Considering the fact that booting happens only every couple of days this might still be acceptable
Cheers Axel
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org -- Dan Čermák
Software Engineer Development tools SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany
(HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer