[opensuse] Need an educated guess on installation "ex new" of Leap with encrypted /boot
The system is old, thus not really running into the UEFI problem, but has a TMP, which governs also the HDD. So kind of "legacy with secure boot". Installation (as this is a laptop) should be as safe as possible, without going to far to put the boot partition onto a usb key, that would be overkill. I had so fare a /boot (unencrypted) and an LVM with / (root /home and swap) encrypted. I know that Leap has made some progress on this behalf and wanted to know: what are the available options for an encrypted install, what are advantages / disadvantages you think worth of notice and although I googled and found some, if you have some link with important information about this, feel free to share. File system: EXT4 on all partitions with exception of boot were it was up to now ext2. Space: it is a 500 GB disk with now /boot (400 mb), /swap 8GB (I have 8 GB of RAM and do often suspend to disk), /root 58 GB (this is a lot, but given all the debug libraries and that I have a lot of software installed, makes the system safe for some "upgrades"). /home (403 GB). I am looking forward on suggestions about available options. Regards. Thank you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne úterý 21. července 2020 9:05:04 CEST, Stakanov napsal(a):
The system is old, thus not really running into the UEFI problem, but has a TMP, which governs also the HDD. So kind of "legacy with secure boot". Installation (as this is a laptop) should be as safe as possible, without going to far to put the boot partition onto a usb key, that would be overkill. I had so fare a /boot (unencrypted) and an LVM with / (root /home and swap) encrypted. I know that Leap has made some progress on this behalf and wanted to know: what are the available options for an encrypted install, what are advantages / disadvantages you think worth of notice and although I googled and found some, if you have some link with important information about this, feel free to share. File system: EXT4 on all partitions with exception of boot were it was up to now ext2. Space: it is a 500 GB disk with now /boot (400 mb), /swap 8GB (I have 8 GB of RAM and do often suspend to disk), /root 58 GB (this is a lot, but given all the debug libraries and that I have a lot of software installed, makes the system safe for some "upgrades"). /home (403 GB). I am looking forward on suggestions about available options.
I use unencrypted /boot/efi and then encrypted LVM containing everything else (i.e. / and swap). The only problem is that I have to enter password twice, otherwise it works perfectly without any issue or performance loss. This is easily configurable in YaST installer. You can also add password for GRUB. HTH, -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
On 21/07/2020 03:47, Vojtěch Zeisek wrote:
I use unencrypted /boot/efi and then encrypted LVM containing everything else (i.e. / and swap). The only problem is that I have to enter password twice, otherwise it works perfectly without any issue or performance loss. This is easily configurable in YaST installer. You can also add password for GRUB. HTH,
That's a wonderful idea. The deferred/reconfigurable power of the LVM gets around a host of problems that the OP hints at. As for the unencrypted /boot, just like the booting of a USB device, well having physical access makes a mockery of many levels of security[1]. [1] For example, an attacker could walk off with your PC. he might not be able to break your encryption, but you don't have access either. Have you read about Schroedinger's backups? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/21/20 10:26 AM, Anton Aylward wrote:
[1] For example, an attacker could walk off with your PC. he might not be able to break your encryption, but you don't have access either. Have you read about Schroedinger's backups?
The cat ate my backup. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 21/07/2020 10:37, James Knott wrote:
On 7/21/20 10:26 AM, Anton Aylward wrote:
[1] For example, an attacker could walk off with your PC. he might not be able to break your encryption, but you don't have access either. Have you read about Schroedinger's backups?
The cat ate my backup. ;-)
The Cat hid mine. Oh, wait, you mean the small critter of the feline persuasion? No that just shredded my documentation and my shirt. It's just what they do, no particular malice intended. -- Anton J Aylward Dodo Flight Research Laboratories Goddard Division Toronto, Ontario -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/21/20 9:37 AM, James Knott wrote:
On 7/21/20 10:26 AM, Anton Aylward wrote:
[1] For example, an attacker could walk off with your PC. he might not be able to break your encryption, but you don't have access either. Have you read about Schroedinger's backups?
The cat ate my backup. ;-)
Which cat? Live cat or dead cat? (I guess in the dead cat quantum superposition case -- your backup is fine. :) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/21/20 12:15 PM, David C. Rankin wrote:
The cat ate my backup.;-)
Which cat? Live cat or dead cat?
That depends on whether you mean before or after he ate it. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/21/2020 12:47 AM, Vojtěch Zeisek wrote:
Dne úterý 21. července 2020 9:05:04 CEST, Stakanov napsal(a):
The system is old, thus not really running into the UEFI problem, but has a TMP, which governs also the HDD. So kind of "legacy with secure boot".
I am looking forward on suggestions about available options. I use unencrypted /boot/efi and then encrypted LVM containing everything else (i.e. / and swap). The only problem is that I have to enter password twice, otherwise it works perfectly without any issue or performance loss. This is easily configurable in YaST installer. You can also add password for GRUB. HTH,
I recently installed 15.2 on two laptops following the process defined here: https://en.opensuse.org/SDB:Encrypted_root_file_system It makes sense to encrypt the root file system, including /boot, and everything else. The link shows how to compile the encryption key into initrd so that you enter the password only once. It works very well! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 21/07/2020 –– 12:05:56PM +0200, Carlos E. R. wrote:
Sorry, I don't understand this phrase. What's a TMP?
I'd assume that he meant this: https://de.wikipedia.org/wiki/Trusted_Platform_Module -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 21/07/2020 12.37, Kai Bojens wrote:
On 21/07/2020 –– 12:05:56PM +0200, Carlos E. R. wrote:
Sorry, I don't understand this phrase. What's a TMP?
I'd assume that he meant this: https://de.wikipedia.org/wiki/Trusted_Platform_Module
Oh. Then I can not help. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On 07/21/2020 03:05 AM, Carlos E. R. wrote:
On 21/07/2020 09.05, Stakanov wrote:
The system is old, thus not really running into the UEFI problem, but has a TMP, which governs also the HDD.
Sorry, I don't understand this phrase. What's a TMP
Probably a typo. TPM (Trusted Platform Module) makes more sense. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/21/20 2:05 AM, Stakanov wrote:
The system is old, thus not really running into the UEFI problem, but has a TMP, which governs also the HDD. So kind of "legacy with secure boot". Installation (as this is a laptop) should be as safe as possible, without going to far to put the boot partition onto a usb key, that would be overkill.
I had so fare a /boot (unencrypted) and an LVM with / (root /home and swap) encrypted. I know that Leap has made some progress on this behalf and wanted to know: what are the available options for an encrypted install, what are advantages / disadvantages you think worth of notice and although I googled and found some, if you have some link with important information about this, feel free to share.
File system: EXT4 on all partitions with exception of boot were it was up to now ext2. Space: it is a 500 GB disk with now /boot (400 mb), /swap 8GB (I have 8 GB of RAM and do often suspend to disk), /root 58 GB (this is a lot, but given all the debug libraries and that I have a lot of software installed, makes the system safe for some "upgrades"). /home (403 GB).
I am looking forward on suggestions about available options. Regards.
Thank you.
Why not a dm-crypt luks solution? See general scenarios: https://wiki.archlinux.org/index.php/Dm-crypt and then the specific links from that page, e.g. https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Anton Aylward -
Carlos E. R. -
David C. Rankin -
James Knott -
Kai Bojens -
Lew Wolfgang -
Stakanov -
Vojtěch Zeisek