[opensuse] YaST partitioned does not allow to encrypt BTRFS
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that? -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled. If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne Čt 18. prosince 2014 11:00:52, Anton Aylward napsal(a):
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
What are the reasons? I haven't heard about it.
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
Yes, but Btrfs practically has LVM functionality, so it seems little bit weird to have LVM practically twice - it's just higher chance of corruption... BTW, there is little bug when creating encrypted LVM: https://bugzilla.opensuse.org/show_bug.cgi?id=908073 Sincerely, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 12/18/2014 11:08 AM, Vojtěch Zeisek wrote:
Dne Čt 18. prosince 2014 11:00:52, Anton Aylward napsal(a):
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
What are the reasons? I haven't heard about it.
Go Google !
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
Yes, but Btrfs practically has LVM functionality, so it seems little bit weird to have LVM practically twice - it's just higher chance of corruption...
If you have either of the 'raw on the disk' there is similar functionality. *SIMILAR*, in that, for example, they can be made to extend of many spindles. That doesn't apply here. If you have BtrFS on a _single_ LVM partition as I do, that is not an issue.
BTW, there is little bug when creating encrypted LVM: https://bugzilla.opensuse.org/show_bug.cgi?id=908073
You don't seem to be describing a problem with an encrypted LVM. You seem to be repeating your YAST-level problem with BtrFS and encrypting BtrFS. PVCREATE - the command for creating a LVM -- doesn't have the option to make the whole LVM encrypted, where as you can make a BtrFS 'on the raw' encrypted. Of course you can encrypt the whole disk or the whole partition under any file system you apply, or play games with LUKS and the file system, but that's another matter. In neither case are you using the encryption ability of BtrFS or LVM. You could do LUKS-encrypt with *any* file system. Perhaps its that I don't use YAST for creating LVM, creating (possibly encrypted) LVM partitions, or for creating BtrFS file systems. I do them all from the command line so that I have absolute control over the parameters and see what the real error messages are. Why don't you try that? YAST has, obviously, a lot of limits. The system as a whole seems to have evolved beyond the capability that YAST is left with, which is a shame because YAST used to be the great 'selling point' of Suse. Think of it as a crutch for people who can use the command line. http://www.cryptonomicon.com/beginning.html http://www.linuxbsdos.com/2014/01/16/manual-full-disk-encryption-setup-guide... https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LU... https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LV... http://www.linuxbsdos.com/2011/05/10/how-to-install-ubuntu-11-04-on-an-encry... Note: "With the LVM partition created, we now want to specify that the partition is to be encrypted." Encryption is at the parition level. http://blog.philippbeck.net/linux/archlinux-install-encryption-lvm-luks-grub... -- Prosince -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 18 December 2014 11:00:52 Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
Yes, I remember that something like that was already discussed, but could not find any good answer with google, so decided to ask once again, hoping this time it will be better. I really expected that encrypt checkbox with BtrFS will work the same way it works with other file systems: create a DM device and create the file system on top of that. But as YaST greyed out that option completely I want to make sure there are no technical issues with that before I will do it manually. -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-18 17:00, Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
Its own encryption, right. But plain LUKS should work transparently with any filesystem. And YaST should allow both types, but it assumes only btrfs encryption, and they disabled it without a help message. My guess. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/12/14 16:19, Carlos E. R. wrote:
On 2014-12-18 17:00, Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
Its own encryption, right. But plain LUKS should work transparently with any filesystem. And YaST should allow both types, but it assumes only btrfs encryption, and they disabled it without a help message. My guess.
Don't guess: https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F - -- Bob Williams System: Linux 3.16.6-2-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 1 day 6:16, 3 users, load average: 0.08, 0.12, 0.18 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSS/1sACgkQ0Sr7eZJrmU4ccQCfdil6yAGKUcVQNifkApmRas9C y5YAn1j3C0AQ3iXyyBYtsG5ak7/OF4bn =OVol -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-18 17:22, Bob Williams wrote:
On 18/12/14 16:19, Carlos E. R. wrote:
Its own encryption, right. But plain LUKS should work transparently with any filesystem. And YaST should allow both types, but it assumes only btrfs encryption, and they disabled it without a help message. My guess.
Don't guess:
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F
I refer to why yast doesn't allow classical /dev/mapper/cr_* encryption. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/12/14 16:36, Carlos E. R. wrote:
On 2014-12-18 17:22, Bob Williams wrote:
On 18/12/14 16:19, Carlos E. R. wrote:
Its own encryption, right. But plain LUKS should work transparently with any filesystem. And YaST should allow both types, but it assumes only btrfs encryption, and they disabled it without a help message. My guess.
Don't guess:
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F
I refer to why yast doesn't allow classical /dev/mapper/cr_* encryption.
Apologies. I didn't read your post properly. Reminder to self - usenet is *not* a write-only medium! - -- Bob Williams System: Linux 3.16.6-2-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 1 day 6:16, 3 users, load average: 0.08, 0.12, 0.18 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSTFEQACgkQ0Sr7eZJrmU6MxgCfZ+HwTxx5Ol/v583cmIyyoFCu bewAn0Qd1aDgMvui1JOLDvryulckjVfX =XPo7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bob Williams wrote:
Apologies. I didn't read your post properly. Reminder to self - usenet is *not* a write-only medium!
Bob, that one has got to go into the collection of memorable internet quotes. -- Per Jessen, Zürich (9.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/12/14 18:03, Per Jessen wrote:
Bob Williams wrote:
Apologies. I didn't read your post properly. Reminder to self - usenet is *not* a write-only medium!
Bob, that one has got to go into the collection of memorable internet quotes.
Per, I agree. It's not original, though. I first heard it about 15 years ago. - -- Bob Williams System: Linux 3.16.6-2-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 1 day 6:16, 3 users, load average: 0.08, 0.12, 0.18 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSTIlUACgkQ0Sr7eZJrmU7QmACfe6VVIDM3jT/dFgYts4idFRjf RJUAnRvptOBgK2aluMI0kA4ePrC3CWrR =fTDZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/12/14 16:00, Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
This seems to suggest that btrfs does not support encryption at the filesystem level: https://btrfs.wiki.kernel.org/index.php/FAQ#Does_btrfs_support_encryption.3F https://wiki.archlinux.org/index.php/Btrfs#Encryption Bob - -- Bob Williams System: Linux 3.16.6-2-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 1 day 6:16, 3 users, load average: 0.08, 0.12, 0.18 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSS/xwACgkQ0Sr7eZJrmU4U+ACfZE24VPXRapNBknVFjHVntalg pbcAnA2ZT+lFo+BK5jLScXfPYHywAphn =95kn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 18 December 2014 11:00:52 Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
Ok, I was able to install the system with encrypted ext4, then rsynced /home to backup folder, created btrfs on top of dm-0 device, rsynced backed up data back, changed fstab. Everything works as expected, now trying to do some simple file operations just to see if it will suddenly fail or something like that... -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/18/2014 09:57 AM, Stanislav Baiduzhyi wrote:
On Thursday 18 December 2014 11:00:52 Anton Aylward wrote:
On 12/18/2014 10:43 AM, Stanislav Baiduzhyi wrote:
I would like to reformat my /home to btrfs, and I need it encrypted. But YaST disables the checkbox as soon as Btrfs is selected. Is there some particular reason for that?
I believe this has come up in the past. Some sites recommend not using the BtrFS own encryption for a variety of reasons. As I understand it, this is why suse has it disabled.
If you want an encrypted partition, regardless of the file system, d what I do: make use of LVM. Its stable and well proven and reliable. Encrypt the partition _underneath_ the file system.
Ok, I was able to install the system with encrypted ext4, then rsynced /home to backup folder, created btrfs on top of dm-0 device, rsynced backed up data back, changed fstab. Everything works as expected, now trying to do some simple file operations just to see if it will suddenly fail or something like that...
Reminds me of a flight out of Alaska in the dead of winter in perfectly horrible weather. The Flight was canceled at the last minute, and many were disappointed. When asked why the flight couldn't squeak out during a lull in the storm, the clerk at the flight window said, "If the pilot is afraid to fly in this weather, why in gods name would you want to go?" If Opensuse, with all their expertise doesn't trust encrypted BTRFS, why should I? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-19 00:57, John Andersen wrote:
On 12/18/2014 09:57 AM, Stanislav Baiduzhyi wrote:
On Thursday 18 December 2014 11:00:52 Anton Aylward wrote:
Ok, I was able to install the system with encrypted ext4, then rsynced /home to backup folder, created btrfs on top of dm-0 device, rsynced backed up data back, changed fstab. Everything works as expected, now trying to do some simple file operations just to see if it will suddenly fail or something like that...
Reminds me of a flight out of Alaska in the dead of winter in perfectly horrible weather. The Flight was canceled at the last minute, and many were disappointed. When asked why the flight couldn't squeak out during a lull in the storm, the clerk at the flight window said, "If the pilot is afraid to fly in this weather, why in gods name would you want to go?"
If Opensuse, with all their expertise doesn't trust encrypted BTRFS, why should I?
LOL. But I think you have a confusion regarding this issue. What the devs are afraid of is btrfs native encryption, and that is what is discouraged and disabled. Now, the yast partitioner module has had encryption support for years. This time they added support for this new feature of btrfs internal encryption, but did not add the possibility of choosing traditional encryption instead. Ie, two methods. At some times the powers that be decide that btrfs internal encryption is unsafe and disable it. So the yast devs disable it. But they fail to re-enable classic (LUKS) encription for btrfs! Not because it may be dangerous, which as far as we know it is not, but because they neglected/forgot to do it. This traditional method is what Stanislav did. Nobody has claimed that it is unsafe, to my knowledge. It is the new method, internal btrfs encryption, which has been disabled. Completely different beast. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
participants (7)
-
Anton Aylward
-
Bob Williams
-
Carlos E. R.
-
John Andersen
-
Per Jessen
-
Stanislav Baiduzhyi
-
Vojtěch Zeisek