On Wed, Apr 28, 2021 at 05:27:00PM +0200, Petr Tesařík wrote:
Dne 15. 04. 21 v 14:16 Petr Vorel napsal(a):
On 14.04.2021 21:05, Petr Vorel wrote:
On 2021/04/13 22:24, Oliver Neukum wrote:
I have worse cases for you. / can be on LVM. The assumption that a block cannot move without FS action is just not right.
Hey, many tell folks that boot should be a normal disk. Encrypted and raids...tend to be less well supported. Yes, things like "full disk encryption" (LVM on LUKS on whole disk, i.e. without separate /boot) is not supported by openSUSE installer :(.
Really? Have you tried? Hm, I cannot find the bug I filled in 2017, which ended as wontfix. But right, things might have changed, I'll retest it.
Even if this works, how would GRUB read its configuration file from an encrypted disk? Are you suggesting that GRUB asks for the password first? And then the Linux OS asks for this password again before it can mount the root filesystem? How is this an improvement over a separate /boot partition?
I can confirm that since 15.1 the /boot partition is not necessary anymore even if the main disk is encrypted. But as you suggested the downside is that you have to type two times the encryption password: the first time for grub and the second time when systemd mounts the disk. I personelly still use the separate unencrypted /boot partition. It is however a weak point. An attacker that can have physycal access to the computer can replace the content of /boot and then compromise the system. Giacomo