On Tue, Mar 1, 2016 at 4:16 AM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
you may want to review this thread
https://lists.opensuse.org/opensuse-factory/2015-12/msg00071.html
Several ideas, separate or maybe in combination where possible. 1. Decouple boot so it can be on non-encrypted fs. Reduce the number of root volume snapshots so they aren't ever older than the oldest retained kernel on boot (i.e. if kernels are expired, expire all of their coupled snapshots). I think there are too many snapshots anyway. No one needs to go back six months. Maybe two weeks of snapshots is sufficient for rolling, and maybe just three trees (current and two previous one of which includes the previous kernel) for stable. Really? People want 100 snapshots that also doesn't even include /home? I don't get it. 2. Deprecate installing the bootloader in the Btrfs bootloader pad. It's only 64KiB which is probably the limiting factor for including btrfs and luks in core.img. Use the MBR gap, or BIOS Boot. Those are 1MiB which is enough for include LUKS and an embedded static grub.cfg to ask for passphrase, unlock root, and find the real grub.cfg, then display menu, load kernel and initramfs, done. 3. Support Bootloaderspec, and agree to modify it in a way that includes supporting fully encrypted systems which we arguably need anyway, including boot. 4. In any case, definitely decouple LVM and encryption. There is no good reason why these two things are tied together in the installer. Support plain encrypted partitions for use by a Btrfs root (or any other file system for that matter). I'm really not sympathetic to this idea of preserving the old bootloader in the MBR. You're installing another OS, that OS should install a bootloader in that bootloader's preferred location and ideally automatically include boot entries for the previously bootable OS as well.
So create two VG, one for each disk type. Where is the problem? :)
You can also create encrypted partition for /home later, without using YaST (and not using LVM at all).
I think it's asking a lot for most users to configure this with CLI. Maybe blivet-gui could help make it easier if the installer isn't going to cooperate. But for what it's worth Fedora's installer supports encrypted Btrfs on a partition, not LVM. Granted, they don't offer snapper configured out of the box, and also still (my goodness) don't support /boot on Btrfs (long story). -- Chris Murphy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org