On Tue, Mar 1, 2016 at 5:23 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2016-03-01 11:32, Daniel Bauer wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
I think it says that if you intend to use btrfs, because the internal feature for encryption in btrfs is beta, but YaST has since years allowed full system encryption with an LVM that covers /, /home, and swap, with /boot outside.
There's no Btrfs encryption yet. The RFC proposal for planned per subvolume encryption hit the Btrfs list about two weeks ago. It's not in the kernel or tools yet. So it should be practical to support /boot on an unencrypted subvolume, where other subvolumes are encrypted.
Another method is use firmware encryption. I know that all hard disk support firmware encryption, but the problem is how to start the system. You need that the bios in the computer prompts for the password before it can start to load the system in the hard disk.
Linux support for this is scarce.
TCP folks should have commissioned an EFI executable to manage OPAL drives a long time ago but what can I say? Not too bright? All UEFI systems could support it. The easy part though is unlocking it in the pre-boot environment. It's non-trivial to support hibernation for these drives. They're pretty much a data only solution rather than bootable solution right now which is too bad.
Only some succinct entries in the man page for hdparm. Seek "ATA Security Feature Set"
That's erasure, not OPAL crypto support.
The advantage is that it is really full disk, and that it should work very fast, not using the CPU at all. I don't know of anybody using this in Linux, though. Or that has reported how to do it.
Drives that support it always have it on, it can't be turned off. Out of the box, they're unlocked, so the DEK is always available without a KEK. But the data on the flash memory itself is always ciphertext. -- Chris Murphy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org