This describes how to have encrypted /boot with single passphrase unlock (rather than twice, once for GRUB and once for Linux). It uses a key file which is on the encrypted volume. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ The problem at the moment on openSUSE is it seems you can't have non-LVM LUKS volumes (just standard partitions). That poses a problem for encrypted Btrfs, so I wonder how that's supposed to work? The GRUB crypto work seems solid, even grub-mkconfig appears to recognize it's on a LUKS volume, and sets up the grub.cfg correctly. It makes the unencrypted, separate /boot seem antiquated. And also in a Btrfs context where we want /boot snapshot along with /lib/modules so they're in parity, is kinda important. -- Chris Murphy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org