[opensuse-factory] systemd in initrd and encrypted filesystems
Does openSUSE already use Systemd in Initrd and if not, is this planned? I think, using Systemd in initrd would allow to use some interesting Systemd features in early boot phase. Especially the systemd-cryptsetup(8) functionality would be interesting. Opening an encrypted root filesystem and additional encrypted filesystems with Systemd in Initrd could be better than using the old /lib/mkinitrd/scripts/ scripts. The /lib/mkinitrd/scripts/ scripts have some problems with password input (no splash screen support in openSUSE 13.1; only English keyboard; only support for LVM for encrypted root filesystems etc.). Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-03 21:57, Bjoern Voigt wrote:
Does openSUSE already use Systemd in Initrd and if not, is this planned?
I think, using Systemd in initrd would allow to use some interesting Systemd features in early boot phase. Especially the systemd-cryptsetup(8) functionality would be interesting. Opening an encrypted root filesystem and additional encrypted filesystems with Systemd in Initrd could be better than using the old /lib/mkinitrd/scripts/ scripts.
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK).
The /lib/mkinitrd/scripts/ scripts have some problems with password input (no splash screen support in openSUSE 13.1; only English keyboard;
Indeed, the keyboard thing is a sore issue.
only support for LVM for encrypted root filesystems etc.).
Ah, exactly. But that is an openSUSE limitation, I believe. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQHdLgACgkQtTMYHG2NR9XHlQCeObXWR1V9TM7U/9anZJNtAUf9 vmEAn0cgRnhFuORSXnVlZzIK0gLd5pWE =UqvT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK). I think, it is or it was until OS 13.1 a limitation of the installer. I already tried to create an encrypted root filesystem without LVM manually. This worked, but it had too many limitations, e.g. no installation or system upgrade with DVD. It would be nice do have this feature in Factory. LVM is OK, but I think, it's a bit too much for simple installations on laptops. I think the password
Carlos E. R. wrote: problem is not big one, if all filesystems and SWAP use the same password input. Cristian Rodríguez wrote:
Yes, dracut is driven by systemd in the initrd..
Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? Ok, I should try Factory.
Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-04 01:37, Bjoern Voigt wrote:
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK). I think, it is or it was until OS 13.1 a limitation of the installer. I already tried to create an encrypted root filesystem without LVM manually. This worked, but it had too many
Carlos E. R. wrote: limitations, e.g. no installation or system upgrade with DVD. It would be nice do have this feature in Factory. LVM is OK, but I think, it's a bit too much for simple installations on laptops. I think the password problem is not big one, if all filesystems and SWAP use the same password input.
The password problem has a trick that obviates the need by "something" to capture the password and reuse for other partitions. For instance, say you have two partitions, root and home. You add a second password for home, that is entered via file, which is stored on the root partition (the file is actually a small random blob, so impossible to remember). In cryptotab, the home partition is configured to activate via that password file, not by manually entered password. So when root is mounted by entering the password, the file is instantly available and home is also mounted, automatically, by systemd. I use this for mounting several data partitions in one go. I have not tried with root partition, because as you say, the problem is installation and upgrade.
Cristian Rodríguez wrote:
Yes, dracut is driven by systemd in the initrd..
Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? Ok, I should try Factory.
I can't, yet. But I'm interested :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQHrJwACgkQtTMYHG2NR9W7XQCeKCiFlP0P9rb8DB8uongET9WF 4P4An3iBaVAEhezoh+Vdk1n22k6S4+8X =Us16 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Sep 3, 2014 at 8:04 PM, Carlos E. R. <carlos.e.r@opensuse.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-09-04 01:37, Bjoern Voigt wrote:
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK). I think, it is or it was until OS 13.1 a limitation of the installer. I already tried to create an encrypted root filesystem without LVM manually. This worked, but it had too many
Carlos E. R. wrote: limitations, e.g. no installation or system upgrade with DVD. It would be nice do have this feature in Factory. LVM is OK, but I think, it's a bit too much for simple installations on laptops. I think the password problem is not big one, if all filesystems and SWAP use the same password input.
The password problem has a trick that obviates the need by "something" to capture the password and reuse for other partitions.
For instance, say you have two partitions, root and home. You add a second password for home, that is entered via file, which is stored on the root partition (the file is actually a small random blob, so impossible to remember). In cryptotab, the home partition is configured to activate via that password file, not by manually entered password.
For your home directory if you're using ecryptfs encrypted home, I realized it's not the SUSE default but it's so much more flexible then the current mechanism which I won't get into here, there's no need for adding a password/phrase in crypttab since it leverages the users login credentials. Also your homedir is only mounted when you're logged in, otherwise it's unmounted and the file/dir names scrambled ECRYPTFS_FNEK_ENCRYPTED.FWbHk4v2bLqdSESOXJQHdSCncyfrwWsUBmCb5OYX6o54WepiuYHv0EtrQ---
So when root is mounted by entering the password, the file is instantly available and home is also mounted, automatically, by systemd.
I use this for mounting several data partitions in one go. I have not tried with root partition, because as you say, the problem is installation and upgrade.
Cristian Rodríguez wrote:
Yes, dracut is driven by systemd in the initrd..
Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? Ok, I should try Factory.
I can't, yet. But I'm interested :-)
- -- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlQHrJwACgkQtTMYHG2NR9W7XQCeKCiFlP0P9rb8DB8uongET9WF 4P4An3iBaVAEhezoh+Vdk1n22k6S4+8X =Us16 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 4 Sep 2014 08:51:02 -0400 Darin Perusich <darin@darins.net> wrote:
For your home directory if you're using ecryptfs encrypted home, I realized it's not the SUSE default but it's so much more flexible then
I agree that "ecryptfs" seems to be a better solution than the loop mounted LUKS container. On the question of randomly encrypted swap, do note that this breaks hibernation.
Also your homedir is only mounted when you're logged in, otherwise it's unmounted ...
Have you checked that recently? In my experience, the directory remains mounted after logout (and I think that also applies to a loop mounted LUKS container). This started with opensuse 13.1, and it continues in factory. It is due to a "brilliant" decision by the "systemd" developers, who refuse to own responsibility for the problem. (This refusal to own responsibility is what sours me on "systemd"). -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-04 16:06, Neil Rickert wrote:
On Thu, 4 Sep 2014 08:51:02 -0400 Darin Perusich <> wrote:
For your home directory if you're using ecryptfs encrypted home, I realized it's not the SUSE default but it's so much more flexible then
I agree that "ecryptfs" seems to be a better solution than the loop mounted LUKS container.
I use an entire encrypted partition instead. For a single user machine, there is no need to use a loop (and in most cases, even if the computer is shared, you want to protect against thieves, not partners). Of course, it mounts either at boot, or manually, not on login.
On the question of randomly encrypted swap, do note that this breaks hibernation.
Ah, yes, I forgot about that. And hibernation is precisely the main reason of swap nowdays, encrypted or not...
Also your homedir is only mounted when you're logged in, otherwise it's unmounted ...
Have you checked that recently?
In my experience, the directory remains mounted after logout (and I think that also applies to a loop mounted LUKS container). This started with opensuse 13.1, and it continues in factory.
I had forgotten that one... :-( - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQIes0ACgkQtTMYHG2NR9UYhQCeJBQNcqkKHTntPAobG0zrXBuy JrQAnjxcXEp+PgvHkAjuaTMKi1esvME1 =Z5XI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
\ On Thu, Sep 4, 2014 at 10:06 AM, Neil Rickert <nrickert@ameritech.net> wrote:
On Thu, 4 Sep 2014 08:51:02 -0400 Darin Perusich <darin@darins.net> wrote:
For your home directory if you're using ecryptfs encrypted home, I realized it's not the SUSE default but it's so much more flexible then
I agree that "ecryptfs" seems to be a better solution than the loop mounted LUKS container.
On the question of randomly encrypted swap, do note that this breaks hibernation.
Also your homedir is only mounted when you're logged in, otherwise it's unmounted ...
Have you checked that recently?
I haven't checked, until now, and see you're correct that it's not umounting on logoff.
In my experience, the directory remains mounted after logout (and I think that also applies to a loop mounted LUKS container). This started with opensuse 13.1, and it continues in factory. It is due to a "brilliant" decision by the "systemd" developers, who refuse to own responsibility for the problem. (This refusal to own responsibility is what sours me on "systemd").
I see your bug, https://bugs.freedesktop.org/show_bug.cgi?id=72759, and wonder if is has anything to due with the ordering of pam_ecryptfs and pam_systemd common-session. I'll have to play around with that and report back. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Sep 3, 2014 at 7:37 PM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK). I think, it is or it was until OS 13.1 a limitation of the installer. I already tried to create an encrypted root filesystem without LVM manually. This worked, but it had too many limitations, e.g. no installation or system upgrade with DVD. It would be nice do have this feature in Factory. LVM is OK, but I think, it's a bit too much for simple installations on laptops. I think the password
Carlos E. R. wrote: problem is not big one, if all filesystems and SWAP use the same password input.
Why would you care if SWAP has a password associated with it? It's not necessary and if you see the crypttab(5) man page states using /dev/urandom is sufficient for swaps password file. If swap currently isn't encrypted it's trivially easy to setup by installing ecryptfs-utils, running ecryptfs-setup-swap, and rebooting the machine. /etc/fstab (before and after running ecryptfs-setup-swap): #/dev/system/swap swap swap defaults 0 0 /dev/mapper/cryptswap1 none swap sw 0 0 /etc/crypttab: cryptswap1 /dev/dm-2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-04 14:36, Darin Perusich wrote:
On Wed, Sep 3, 2014 at 7:37 PM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Opening root and others, with a single password entry, perhaps? That would be nice. Currently with YaST you have to do it with an LVM container. Doing it with plain encrypted partitions is not supported in openSUSE (others do it, AFAIK). I think, it is or it was until OS 13.1 a limitation of the installer. I already tried to create an encrypted root filesystem without LVM manually. This worked, but it had too many
Carlos E. R. wrote: limitations, e.g. no installation or system upgrade with DVD. It would be nice do have this feature in Factory. LVM is OK, but I think, it's a bit too much for simple installations on laptops. I think the password problem is not big one, if all filesystems and SWAP use the same password input.
Why would you care if SWAP has a password associated with it? It's not necessary and if you see the crypttab(5) man page states using /dev/urandom is sufficient for swaps password file.
Yes, it can be done, but openSUSE only supports the single LVM container thing with everything inside, including swap. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQIYRcACgkQtTMYHG2NR9UO7gCfaE03Lbs4TiT8X+wGIpgxmsBo GvEAn3ct7Z19+sX95mhVq3ThUrXU5Sb5 =HaaI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Darin Perusich wrote:
Why would you care if SWAP has a password associated with it? It's not necessary and if you see the crypttab(5) man page states using /dev/urandom is sufficient for swaps password file. If swap currently isn't encrypted it's trivially easy to setup by installing ecryptfs-utils, running ecryptfs-setup-swap, and rebooting the machine. /etc/fstab (before and after running ecryptfs-setup-swap): #/dev/system/swap swap swap defaults 0 0 /dev/mapper/cryptswap1 none swap sw 0 0 /etc/crypttab: cryptswap1 /dev/dm-2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 Personally I want to use hibernation and I want that this is encrypted.
Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bjoern Voigt wrote:
Cristian Rodríguez wrote:
Yes, dracut is driven by systemd in the initrd.. Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? Ok, I should try Factory. I tested Factory with root filesystem encryption and two empty virtual hard drives.
This are my experiences: Positive: * setup works * password dialog in Initrd is graphical again and supports the keyboard layout from setup (German in my case) Negative: * root filesystem encryption still depends on LVM (Yast refuses the encryption option for "/") * no automatic partitioning on empty hard disks with encrypted root filesystem and GPT, manual LVM partitioning is still a bit difficult * missing /boot and /boot/efi filesystems were not reported during partitioning (GPT partitions), problem was detected too late by YaST (during grub2 setup at the end of installation) * encryption options can not be modified in YaST during installations I will check, if some of the negative points are already reported as bugs or feature requests. Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 03/09/14 a las #4, Bjoern Voigt escribió:
Does openSUSE already use Systemd in Initrd
Yes, dracut is driven by systemd in the initrd..
I think, using Systemd in initrd would allow to use some interesting Systemd features in early boot phase. Especially the systemd-cryptsetup(8) functionality would be interesting. Opening an encrypted root filesystem and additional encrypted filesystems with Systemd in Initrd could be better than using the old /lib/mkinitrd/scripts/ scripts. The /lib/mkinitrd/scripts/ scripts have some problems with password input (no splash screen support in openSUSE 13.1; only English keyboard; only support for LVM for encrypted root filesystems etc.).
Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Cristian Rodríguez wrote:
El 03/09/14 a las #4, Bjoern Voigt escribió:
Does openSUSE already use Systemd in Initrd Yes, dracut is driven by systemd in the initrd..
I think, using Systemd in initrd would allow to use some interesting Systemd features in early boot phase. Especially the systemd-cryptsetup(8) functionality would be interesting. Opening an encrypted root filesystem and additional encrypted filesystems with Systemd in Initrd could be better than using the old /lib/mkinitrd/scripts/ scripts. The /lib/mkinitrd/scripts/ scripts have some problems with password input (no splash screen support in openSUSE 13.1; only English keyboard; only support for LVM for encrypted root filesystems etc.). Did you tried factory and see if it already works ? could you fill bug reports if you do not get the documented behaviour ? I currently try openSUSE Factory. Encryption with LUKS, Dracut and Systemd works. But unfortunately encryption of the root filesystem is still dependent on LVM. YaST installer forbids the encryption of root filesystem directly without LVM.
I also think, that encryption of root filesystem is still a bit complicated in Yast partitioner. Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 05/09/14 a las #4, Bjoern Voigt escribió:
YaST installer forbids the encryption of root filesystem directly without LVM.
Ok, There must be a reason for that.. but I do not know..I only know that's the reason I do not use it :-) -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-05 17:54, Cristian Rodríguez wrote:
El 05/09/14 a las #4, Bjoern Voigt escribió:
YaST installer forbids the encryption of root filesystem directly without LVM.
Ok, There must be a reason for that.. but I do not know..I only know that's the reason I do not use it :-)
Yes, that is has to be with LVM is also the reason I do not use it. Yes, the main hurdle has always been YaST, not initrd/grub. You just need a non encrypted boot partition, for the kernel and ramdisk, and some modules loaded on boot. An of course, something to ask for the password, but that one already exists. Previously YaST did not set any type of root encryption at all. When the feature was requested and implemented, it was thought that it was easier to set up a single LVM container with everything inside, except /boot, so that there is only one partition to ask for the password. The previous method was manual, without yast, and you can still use it - - but then, yast does not install it, nor upgrade, so it is a problem. The method to set it up is, basically, install on a normal partition, then move it... So, even if dracut or systemd make things easier, we can not use it . at least, AFAIK. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQJ38cACgkQtTMYHG2NR9WuMwCfbUJlL84GVc6re5y2s9su3dpm gk4AoIgVLabR4hCeLUMLZuWMldX8gIJF =CACw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2014-09-05 18:07, Carlos E. R. wrote:
Previously YaST did not set any type of root encryption at all. When the feature was requested and implemented, it was thought that it was easier to set up a single LVM container with everything inside, except /boot, so that there is only one partition to ask for the password.
The previous method was manual, without yast, and you can still use it - - but then, yast does not install it, nor upgrade, so it is a problem. The method to set it up is, basically, install on a normal partition, then move it...
You can make yast install to an arbitrary device (just mount it at /mnt when you have the chance to switch to tty2). The partitioner UI will cooperate even if no device has been assigned to the "/" mountpoint - though you need to fix that up before reboot by manually editing fstab, crypttab and mkinitrd. Just make sure the partitioner does not attempt to modify the disklabel again after you did. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Bjoern Voigt -
Carlos E. R. -
Carlos E. R. -
Cristian Rodríguez -
Darin Perusich -
Jan Engelhardt -
Neil Rickert