[opensuse] 12.1 - not possible to encrypt root partition anymore?
Hi! According to this: http://en.opensuse.org/SDB:Encrypted_root_file_system it used to be possible to encrypt the whole / partition in 11.4. However, I'm trying to install 12.1 on old laptop and during installation I get error saying that "you have assigned an encrypted file system to a partition with one of the following mount points: /, /usr, /boot, /var. This is not possible. Change mount point or use a nonloopbacked file system." Is full disk enryption not supported anymore? -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Uhhh... On Tue, Apr 10, 2012 at 7:14 PM, HG <hg.list@gmail.com> wrote:
Hi!
According to this: http://en.opensuse.org/SDB:Encrypted_root_file_system it used to be possible to encrypt the whole / partition in 11.4. However, I'm trying to install 12.1 on old laptop and during installation I get error saying that "you have assigned an encrypted file system to a partition with one of the following mount points: /, /usr, /boot, /var. This is not possible. Change mount point or use a nonloopbacked file system."
Is full disk enryption not supported anymore?
I ignored the manuals that the page above points to and tried to go with Yast. I selected LVM with encryption. Then I resized the partition (at this point Ext4) to be as big as possible (as YaST left quite a lot of empty space). Then I changed the root partition to be btrfs (after reading http://www.mayrhofer.eu.org/ssd-linux-benchmark and figuring that it should be better option for the SSD). Everything seemed fine, until: Failure in mounting /dev/system/root to / System error code was: -3003 /bin/mount -t btrfs -o acl,user_xattr '/dev/system/root' '/mnt': mount: wrong fs type, bad option, bad superblock on /dev/mapper/system-root, missing codepage or helper program, or other error. In some cases useful info is found in syslog -try dmesg | tail or so Continue deespite the error? Doesn't sound wise. I don't even know how to get to prompt from here to see anything from the messages. Is encryption really not working anymore on 12.1? I'm installing on old Lenovo X301 with SSD and I'm installing from USB stick and 64-bit network image. -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-10 18:49, HG wrote:
Continue deespite the error? Doesn't sound wise. I don't even know how to get to prompt from here to see anything from the messages. Is encryption really not working anymore on 12.1? I'm installing on old Lenovo X301 with SSD and I'm installing from USB stick and 64-bit network image.
Encryption should work. Btrfs is experimental. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Ebj8ACgkQIvFNjefEBxr6SgCgpTfzs4Y4esLF+tR30b0TIfxY R/4AmgLAv2tk5jHv51YGh6CyyKpoT4Vp =bV5K -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2012-04-10 at 19:30 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-04-10 18:49, HG wrote:
Continue deespite the error? Doesn't sound wise. I don't even know how to get to prompt from here to see anything from the messages. Is encryption really not working anymore on 12.1? I'm installing on old Lenovo X301 with SSD and I'm installing from USB stick and 64-bit network image.
Encryption should work. Btrfs is experimental.
As btrfs is offered with commercial support for sles11sp2, i dare say that it has outgrown the "experimental" status... Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-10 22:28, Hans Witvliet wrote:
On Tue, 2012-04-10 at 19:30 +0200, Carlos E. R. wrote:
Encryption should work. Btrfs is experimental.
As btrfs is offered with commercial support for sles11sp2, i dare say that it has outgrown the "experimental" status...
Does it have a full fsck.btrfs? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+EmI4ACgkQIvFNjefEBxobcwCeNxDoNXibYA5Toi69D9cd8sc/ jL8AoNBSFbXDxaehCVs+5tAHoSBUd8hN =TsNZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El mar, 10-04-2012 a las 22:31 +0200, Carlos E. R. escribió:
On 2012-04-10 22:28, Hans Witvliet wrote:
On Tue, 2012-04-10 at 19:30 +0200, Carlos E. R. wrote:
Encryption should work. Btrfs is experimental.
As btrfs is offered with commercial support for sles11sp2, i dare say that it has outgrown the "experimental" status...
Does it have a full fsck.btrfs?
As far as I can remember, the btrfs still does not support disk encryption. If you are concern about disk, volume or partition encryption you should use LVM otherwise making a folder encryption with truecrypt or another encryption tool could work for most cases. At this right moment, there is no encryption implementation for BTRFS. http://en.wikipedia.org/wiki/Btrfs#Encryption It could change on the not so far future since btrfs is now supported in SLES SP2 (commercial server) and it was announced a patch that included openSUSE too (the last btrfs patch fixed several bugs and added some performance and stability, not encryption support). BTRFS Encryption support implementation is uneasy on this right development phase for any distro or kernel. Regards, -- Ricardo Chung | Panama Linux Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-10 23:17, Ricardo Chung wrote:
El mar, 10-04-2012 a las 22:31 +0200, Carlos E. R. escribió:
As far as I can remember, the btrfs still does not support disk encryption. If you are concern about disk, volume or partition encryption you should use LVM otherwise making a folder encryption with truecrypt or another encryption tool could work for most cases.
He is using LVM, it does not work. It is on his post. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+EpaAACgkQIvFNjefEBxqisgCgt+sup/LxXZWEAhBEhP+HokrM RA0AoIomelxLlzSx+FTGIKrPCHYGcE6K =/EmE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tuesday, April 10, 2012 11:26:56 PM Carlos E. R. wrote:
On 2012-04-10 23:17, Ricardo Chung wrote:
El mar, 10-04-2012 a las 22:31 +0200, Carlos E. R. escribió:
As far as I can remember, the btrfs still does not support disk encryption. If you are concern about disk, volume or partition encryption you should use LVM otherwise making a folder encryption with truecrypt or another encryption tool could work for most cases.
He is using LVM, it does not work. It is on his post.
Maybe I understood wrong. He said above (2nd mail) switched from LVM to BTRFS. Not sure how it was the precise procedure to change it. I assume he made it clean. Quoting "I selected LVM with encryption. Then I resized the partition (at this point Ext4) to be as big as possible (as YaST left quite a lot of empty space). Then I changed the root partition to be btrfs" explained HG. I made a LVM setup with openSUSE 12.1 (full disk encryption) and separated /home partition encryption with no issues than the hassle to type twice a password (one for the whole HDD and another for /home partition). And everything works fine. Hope this clarify it. If you try Partitions setup it will probably go to install BTRFS option. It will send errors when trying to encrypt the HDD or even the /home partition. Regards, -- Ricardo Chung | Panama Linux Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-11 00:28, Ricardo Chung wrote:
On Tuesday, April 10, 2012 11:26:56 PM Carlos E. R. wrote:
Maybe I understood wrong. He said above (2nd mail) switched from LVM to BTRFS. Not sure how it was the precise procedure to change it. I assume he made it clean. Quoting "I selected LVM with encryption. Then I resized the partition (at this point Ext4) to be as big as possible (as YaST left quite a lot of empty space). Then I changed the root partition to be btrfs" explained HG.
I understand that means that he is using a root partition with btrfs on top on an encrypted LVM, which is the method Yast partitioner does. But his writing is indeed confusing. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Et/wACgkQIvFNjefEBxpfTQCgrb7hSzdwKlZ1eB3c3HqBX+Eg OEMAnRNbvtM9y5KjmC/w2V+Al6KQ3qfL =Wuwe -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi! On Wed, Apr 11, 2012 at 1:45 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-04-11 00:28, Ricardo Chung wrote:
On Tuesday, April 10, 2012 11:26:56 PM Carlos E. R. wrote:
Maybe I understood wrong. He said above (2nd mail) switched from LVM to BTRFS. Not sure how it was the precise procedure to change it. I assume he made it clean. Quoting "I selected LVM with encryption. Then I resized the partition (at this point Ext4) to be as big as possible (as YaST left quite a lot of empty space). Then I changed the root partition to be btrfs" explained HG.
I understand that means that he is using a root partition with btrfs on top on an encrypted LVM, which is the method Yast partitioner does.
But his writing is indeed confusing.
Sorry about that :-( I'll try better now - but this is going to be long. I wanted to have full disk encryption (for many reasons stated here, as well as here: http://en.opensuse.org/SDB:Encrypted_root_file_system ... and required by many companies) and btfrs as I thought I'd need to run quite modern filesystem on this SSD - and because btfrs was basically promoted by YaST in installation. Installation, from the first screen, I select my keyboard map and english. After the graphical installed starts, I need to reselect the keyboard map again as it's back to US. Not big, but still why. Ok, then starts the partitioning. Not too fond of LVM as I think simpler should be ok. I'm probably wrong there. Anyways, I was also wrong in following the page that let me believe that it works for "Opensuse 11.2 and newer" and was only tested on 11.4. I even followed the link to 11.4 documentation - except that only now I notice that the link which says 11.4 seems to point to a URL that has 112 in it. So, basically I was trying to follow this: http://www.suse.com/documentation/opensuse112/book_security/?page=/documenta... and 11.1.1 Creating an Encrypted Partition during Installation. I then selected BtrFS and opened the editing mode. Clicked on the / partition with BtrFS. Click Edit and I can see that the encryption is grayed out. So, I go back. Unselect BtrFS and try again. Now edit shows Etx4 for filesystem of / and I can select "Encrypt device". But clicking Next comes up with error that I cannot encrypt /. The guide that I linked, says "For this reason, the only appropriate course of action is to encrypt the entire root file system, along with the file system containing the sensitive data." This is why I asked if it is not possible anymore to encrypt the root partition. This was possible apparently. But not anymore. So, I go back again to try with LVM this time. So, I click LVM + encrypt (+ give password) + BtrFS (as that's still something I think I wanted). Now, I have 64Gb SSD. So, quite small. Still, the LVM setup only used 40Gb of my disk for / and 2Gb for swap (rest empty). So, in the edit mode, I try to click on resize, but then I'm greeted with error that BtrFS doesn't support resizing. Which is a bit odd as I don't think any changes have even been made to the disk yet! So, yet again, I go back and start from the top. This time, I checked only LVM and encryption. In edit, I see that LVM had now allocated only 20Gb for / which is now Ext4. But Ext4 allows for resizing, so I fill the disk. Then I click Accept and from the first screen edit again. I open the / with edit and just change the file system from under format partition from Ext4 to BtrFS and leave the encryption off as the LVM is now encrypted. At this point, I thought I have LVM encrypted, and / with BtrFS filling the disk (with swap) as I wanted. Time to hit accept and next and go on. And then I was greeted with the error that I wrote in the second email: Failure in mounting /dev/system/root to / System error code was: -3003 /bin/mount -t btrfs -o acl,user_xattr '/dev/system/root' '/mnt': mount: wrong fs type, bad option, bad superblock on /dev/mapper/system-root, missing codepage or helper program, or other error. In some cases useful info is found in syslog -try dmesg | tail or so Now, I apologize for my unclear writing in the previous emails and I really hope I was more clear this time. I would rather claim that the procedure on how to get encrypted BtrFS on openSUSE is quite hard and confusing. And it just didn't work. And the guides that I followed that lead me to believe that encrypting root partition on openSUSE is good idea were completely wrong as it's not possible anymore in 12.1. Saddest part of this story is that, once I got the system running (Ext4 and encryptions) I was greeted with the KDE 4 - and it still was confusing and and not as functional as KDE once was. Namely, I could still not figure out the workspaces for example. Wen't to KDE pages, but no tutorial, no examples. I just want a desktop that handles my windows. Also, dolphin is still so far from what konqueror was in KDE3. And the "start menu of KDE" still requires huge number of mouse clicks just to browse the programs that are in the menus. Why on earth somebody things all those clicks are necessary? BTW, I didn't wat the LibreOffice, but the installer didn't let me unselect that. All this lead me to first time in my life download Ubuntu. And while I miss YaST badly, I like the way how that ubuntu desktop, I guess Unity, let's me just go about my business of using the programs. No, the file browser isn't any better either. However, on the laptop, I'm now giving Ubuntu a chance for couple of weeks. I'm still going to run openSUSE on all of the servers as well as some laptops. Thanks for all the comments - specially about why to encrypt the whole disk. -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
HG said the following on 04/14/2012 03:36 AM:
I wanted to have full disk encryption ...
Just for the record ... Full disk encryption, partition encryption, file system encryption and file encryption are all quite different things. Full disk encryption is often implemented in the disk hardware. As the Wikipedia article points out http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption <quote> The symmetric encryption key is maintained independently from the CPU, thus removing computer memory as a potential attack vector. </quote> I've also seem full disk encryption implemented in the low level disk drivers. The point being that the disk is encrypted regardless of how you partition it, regardless of the file system you use. I recognise that there are applications like TrueCrypt (and other vendors) which try to encompass many aspects. Their use of terms like 'disk' and 'drive' is often very liberal. LVM is very good but very daunting until you gain experience and a comfort level. Partition level encryption (see also TrueCrypt again) gives flexibility but that comes at a price - complexity and management. Encrypting the RootFS leads to the question of having a separate /boot and whether that is encrypted, and that is encrypted and what goes into the initrd, which gets into key management. Perhaps you should also look at LUKS - kernel level encryption. My personal opinion is that you have chosen to 'dive in the deep end'. Even though I have experince with encryption in other areas, if I was approaching this I'd experiment with non-critical, non-root, techniques first. -- "The wide world is all about you: you can fence yourselves in, but you cannot for ever fence it out." -- JRR Tolkien, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
HG wrote:
Uhhh...
On Tue, Apr 10, 2012 at 7:14 PM, HG <hg.list@gmail.com> wrote:
Hi!
According to this: http://en.opensuse.org/SDB:Encrypted_root_file_system it used to be possible to encrypt the whole / partition in 11.4. However, I'm trying to install 12.1 on old laptop and during installation I get error saying that "you have assigned an encrypted file system to a partition with one of the following mount points: /, /usr, /boot, /var. This is not possible. Change mount point or use a nonloopbacked file system."
Is full disk enryption not supported anymore?
/why would you even want /bin and /usr/bin to be encrypted? Encrypt your data, not your partitions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-11 11:20, Dirk Gently wrote:
/why would you even want /bin and /usr/bin to be encrypted? Encrypt your data, not your partitions.
Fine tuning what directories to encrypt and which not is complicated. You need encrypted all directories with data written by the system: var, etc, tmp... Also, it denies the thief the posibility of running your machine. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+FYq4ACgkQIvFNjefEBxonDwCgyzHNzPSi7m1cUGarJ+v2YsPj H1IAnR6Oxg/MjyB1f35zQy7IuLdPtPig =alCu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
it denies the thief the posibility of running your machine.
It also denies the possibility of removing the hard drive, inserting it in another computer, installing a rootkit on it, and then replacing it. Not a significant risk for most people, but if you have reason to be paranoid ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-11 13:09, Dave Howorth wrote:
Carlos E. R. wrote:
it denies the thief the posibility of running your machine.
It also denies the possibility of removing the hard drive, inserting it in another computer, installing a rootkit on it, and then replacing it.
The kernel can be replaced, because /boot has to be non-encrypted, I understand. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+FcAUACgkQIvFNjefEBxr/IgCdEhjLBxH0je3uWR7hBMnWidsH CyoAnRol7sqHe1yfeKKmxOInOFtwDGXM =yGLH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wednesday, April 11, 2012 01:50:29 PM Carlos E. R. wrote:
On 2012-04-11 13:09, Dave Howorth wrote:
Carlos E. R. wrote:
it denies the thief the posibility of running your machine.
It also denies the possibility of removing the hard drive, inserting it in another computer, installing a rootkit on it, and then replacing it.
The kernel can be replaced, because /boot has to be non-encrypted, I understand.
As you mentioned that is one of the multiple reasons to encrypt a Hard Disc Drive and/or Partitions. If you feel even full paranoid (and reasons exists to be) you will need to add an extra folder/files encryption for the most valuable data inside of. Once upon you are connected to Internet your HDD encryption is not longer working and you will need an extra encryption level to keep those sniffer snoopies away. Fortunately, we have good tools available to perform that job. Regards, -- Ricardo Chung | Panama Linux Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Dirk Gently -
Hans Witvliet -
HG -
Ricardo Chung