On 2016-03-01 11:32, Daniel Bauer wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
I think it says that if you intend to use btrfs, because the internal feature for encryption in btrfs is beta, but YaST has since years allowed full system encryption with an LVM that covers /, /home, and swap, with /boot outside.
( My old procedure was in short: - Install system on the disk where later /home will be - make /home where later / will be - encrypt the now /home and move the system there - encrypt the now / - making crypttab entries and adjust fstab - make a new initrd - tell Grub to use root=dev/mapper/root )
but times have changed...
I think it should still work, and in fact, I like it better than the yast/lvm way.
Thanks for hints, links to uptodate-how-to's...
Another method is use firmware encryption. I know that all hard disk support firmware encryption, but the problem is how to start the system. You need that the bios in the computer prompts for the password before it can start to load the system in the hard disk. Linux support for this is scarce. Only some succinct entries in the man page for hdparm. Seek "ATA Security Feature Set" The advantage is that it is really full disk, and that it should work very fast, not using the CPU at all. I don't know of anybody using this in Linux, though. Or that has reported how to do it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)