[opensuse] Raid 1 + Encrypted Btrfs
Hi, I have spent some time now trying to set up my notebook with a software raid 1 built from 2 SSDs and encrypted btrfs and so far failed miserably. Sseems the installer doesn't support this combination at all. What i tried: All those attempts have been tried with and without a separate unencrypted /boot and /boot/efi. I only would need encrypted root and home, boot can be unencrpyted if needed. 1) Raid + Encrypted Btrfs When creating btrfs on a raid device, the encryption checkbox is disabled, while it's available for other filesystems. 2) Raid + Encrypted LVM While creating "normal" LVM Partitions has a encryption checkbox, the installer directly uses raid devices in the LVM creation interface, encryption option nowhere to be seen. 3) Raid + Manual cryptsetup I created a raid 1 and did a manual cryptsetup on it. The installer detects the encrypted raid and asks for a password. From there on the installer seems to work as expected. Can create a LVM on the encrypted raid (also the installer shows correcty that it's encrypted), i can create my needed filesystems and the installer completes without errors. Sadly the installed system fails to boot. At this point i've given up and haven't investigated further. I would know how to do all necessary stuff manually i probably manage to make everything boot up, but i don't want to intervene with standard setup too much, as this probably will cause problems with future upgrades / updates. Did i miss something or is it really impossible to combine raid + btrfs+ encryption at the current state of the installer? Best Regards Daniel -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/04/2017 05:24 AM, Daniel Selinger wrote:
Hi,
I have spent some time now trying to set up my notebook with a software raid 1 built from 2 SSDs and encrypted btrfs and so far failed miserably.
Sseems the installer doesn't support this combination at all.
What i tried:
All those attempts have been tried with and without a separate unencrypted /boot and /boot/efi. I only would need encrypted root and home, boot can be unencrpyted if needed.
1) Raid + Encrypted Btrfs When creating btrfs on a raid device, the encryption checkbox is disabled, while it's available for other filesystems.
2) Raid + Encrypted LVM While creating "normal" LVM Partitions has a encryption checkbox, the installer directly uses raid devices in the LVM creation interface, encryption option nowhere to be seen.
3) Raid + Manual cryptsetup I created a raid 1 and did a manual cryptsetup on it. The installer detects the encrypted raid and asks for a password. From there on the installer seems to work as expected. Can create a LVM on the encrypted raid (also the installer shows correcty that it's encrypted), i can create my needed filesystems and the installer completes without errors. Sadly the installed system fails to boot. At this point i've given up and haven't investigated further.
I would know how to do all necessary stuff manually i probably manage to make everything boot up, but i don't want to intervene with standard setup too much, as this probably will cause problems with future upgrades / updates.
Did i miss something or is it really impossible to combine raid + btrfs+ encryption at the current state of the installer?
Best Regards
Daniel
btrfs doesn't support encryption yet, but btrfs+RAID+LUKS is possible. Take a look a this page to get an idea on what you need to do: https://www.peterbeard.co/blog/post/i-am-a-data-hoarder-or-how-to-create-a-b... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
well, as i said, i know how to get there manually. there are multiple ways to get there with software raid, btrfs raid, lvm, luks. but everything the installer doesn't support is hard to install on, and will produce unpredictable failures on upgrades, i was asking if there is a way the installer supports. ext filesystems don't have encryption either and the installer lets you encrypt them (using luks) and i tried something similar as described in my original mail under procedure 3) and after the installer completed it didn't boot up, i don't want to manually repair bootup every time some updates fiddle around with initrd or such. On Wed, Jan 4, 2017 at 3:53 PM, sdm <fastcpu@openmailbox.org> wrote:
On 01/04/2017 05:24 AM, Daniel Selinger wrote:
Hi,
I have spent some time now trying to set up my notebook with a software raid 1 built from 2 SSDs and encrypted btrfs and so far failed miserably.
Sseems the installer doesn't support this combination at all.
What i tried:
All those attempts have been tried with and without a separate unencrypted /boot and /boot/efi. I only would need encrypted root and home, boot can be unencrpyted if needed.
1) Raid + Encrypted Btrfs When creating btrfs on a raid device, the encryption checkbox is disabled, while it's available for other filesystems.
2) Raid + Encrypted LVM While creating "normal" LVM Partitions has a encryption checkbox, the installer directly uses raid devices in the LVM creation interface, encryption option nowhere to be seen.
3) Raid + Manual cryptsetup I created a raid 1 and did a manual cryptsetup on it. The installer detects the encrypted raid and asks for a password. From there on the installer seems to work as expected. Can create a LVM on the encrypted raid (also the installer shows correcty that it's encrypted), i can create my needed filesystems and the installer completes without errors. Sadly the installed system fails to boot. At this point i've given up and haven't investigated further.
I would know how to do all necessary stuff manually i probably manage to make everything boot up, but i don't want to intervene with standard setup too much, as this probably will cause problems with future upgrades / updates.
Did i miss something or is it really impossible to combine raid + btrfs+ encryption at the current state of the installer?
Best Regards
Daniel
btrfs doesn't support encryption yet, but btrfs+RAID+LUKS is possible. Take a look a this page to get an idea on what you need to do: https://www.peterbeard.co/blog/post/i-am-a-data-hoarder-or-how-to-create-a-b...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-01-04 16:14, Daniel Selinger wrote:
well, as i said, i know how to get there manually. there are multiple ways to get there with software raid, btrfs raid, lvm, luks.
but everything the installer doesn't support is hard to install on, and will produce unpredictable failures on upgrades, i was asking if there is a way the installer supports.
I think it is luks + LVM + btrfs (not internal to btrfs, but external), and in that order. /boot has to be external. I don't know about raid, I thought it was supported. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2017-01-04 16:32, Andrei Borzenkov wrote:
04.01.2017 18:25, Carlos E. R. пишет:
/boot has to be external.
Again, I lost count how many times I had to tell it to you - no, it has not.
My memory is not as good as it was, sorry. For decades /boot was needed to boot LVM or encrypted. But YasT sets it up that way? :-?
/boot/efi has of course, as long as you are using EFI boot.
-- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
04.01.2017 18:53, Carlos E. R. пишет:
On 2017-01-04 16:32, Andrei Borzenkov wrote:
04.01.2017 18:25, Carlos E. R. пишет:
/boot has to be external.
Again, I lost count how many times I had to tell it to you - no, it has not.
My memory is not as good as it was, sorry. For decades /boot was needed to boot LVM or encrypted.
But YasT sets it up that way? :-?
No, I can install system with single root on encrypted volume, without any additional filesystems. It is true that this is default proposal, if you go into expert partitioner and remove /boot partition, it is accepted and works.
/boot/efi has of course, as long as you are using EFI boot.
On 2017-01-04 16:25, Carlos E. R. wrote:
I think it is luks + LVM + btrfs (not internal to btrfs, but external), and in that order. /boot has to be external. yea, i think that's what the installer does for the encrypted lvm setup. also when you partition manually thats the only way you can get encryption for btrfs, because the only place you can enable encryption is when creating lvm partitions on the physical disks. I don't know about raid, I thought it was supported. i wish it was ;)
-- Daniel Selinger, CEO Sourcy Software & Services GmbH Feldgasse 97, 3400 Kierling, Austria W: https://sourcy.io E: d.selinger@sourcy.io -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
04.01.2017 16:24, Daniel Selinger пишет:
2) Raid + Encrypted LVM While creating "normal" LVM Partitions has a encryption checkbox, the installer directly uses raid devices in the LVM creation interface, encryption option nowhere to be seen.
3) Raid + Manual cryptsetup I created a raid 1 and did a manual cryptsetup on it. The installer detects the encrypted raid and asks for a password. From there on the installer seems to work as expected. Can create a LVM on the encrypted raid (also the installer shows correcty that it's encrypted), i can create my needed filesystems and the installer completes without errors. Sadly the installed system fails to boot. At this point i've given up and haven't investigated further.
I would know how to do all necessary stuff manually i probably manage to make everything boot up, but i don't want to intervene with standard setup too much, as this probably will cause problems with future upgrades / updates.
As long as you do "zypper dup" I do not expect any more problems than you may experience during normal package update.
Did i miss something or is it really impossible to combine raid + btrfs+ encryption at the current state of the installer?
Looks like it. I wholeheartedly agree that p.2 is plain bug and it should be possible to manually enable encryption at least in the same configuration which installer offers. And it is not possible to enable encryption for LVM even without RAID at all (strictly speaking, the problem is that it is not possible to create encrypted partition). As for p.3 - I did it in the past so in general it should work. There could be arbitrary problems using new shiny tools, so YMMV. Unfortunately this will remain so until someone actually spends time and efforts to build and debug such configuration. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-01-04 16:29, Andrei Borzenkov wrote:
As long as you do "zypper dup" I do not expect any more problems than you may experience during normal package update.
ok, at least i can hope so, i have made not so good experience with such fiddling on most other mainstream distros
Looks like it. I wholeheartedly agree that p.2 is plain bug and it should be possible to manually enable encryption at least in the same configuration which installer offers. And it is not possible to enable encryption for LVM even without RAID at all (strictly speaking, the problem is that it is not possible to create encrypted partition). encryption for lvm without raid works as far as i could tell, also when manually creating. you have to enable the encryption when creating the lvm partitions on the physical drives, not when creating the lvm itself.
As for p.3 - I did it in the past so in general it should work. There could be arbitrary problems using new shiny tools, so YMMV. Unfortunately this will remain so until someone actually spends time and efforts to build and debug such configuration. ok, looks like i have to give it another shot. but somehow i didn't even get a password prompt at bootup for decrypting
although there is a bug in the installer that sometimes doesn't let you check the encryption checkbox even if it's supported for the current configuration. in that cases it helps to switch the listbox to a different filesystem / partitiontype, when switching back to what you want the checkbox gets enabled (not so for btrfs on md devices) the disks when i manually created the luks volume on the software raid, although the installer played just fine with the configuration. do you remember what configuration worked for you? raid -> luks -> lvm -> btrfs? -- Daniel Selinger, CEO Sourcy Software & Services GmbH Feldgasse 97, 3400 Kierling, Austria W: https://sourcy.io E: d.selinger@sourcy.io -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
04.01.2017 18:41, Daniel Selinger пишет: ...
Looks like it. I wholeheartedly agree that p.2 is plain bug and it should be possible to manually enable encryption at least in the same configuration which installer offers. And it is not possible to enable encryption for LVM even without RAID at all (strictly speaking, the problem is that it is not possible to create encrypted partition). encryption for lvm without raid works as far as i could tell, also when manually creating. you have to enable the encryption when creating the lvm partitions on the physical drives, not when creating the lvm itself.
It does not activate checkbox for me using Leap 42.2. The only partition type where I can check "Encrypt" is swap. Ironically it also allows it for "Win95 FAT32" partition ... Unfortunately installer does not offer these partition types for PV selection then :(
although there is a bug in the installer that sometimes doesn't let you check the encryption checkbox even if it's supported for the current configuration. in that cases it helps to switch the listbox to a different filesystem / partitiontype, when switching back to what you want the checkbox gets enabled (not so for btrfs on md devices)
Yes, I remember this pretty much erratic behavior, and it also is (was) dependent on legacy BIOS vs. UEFI boot mode (for some reasons installer thought encryption was OK on EFI but not on BIOS). Still this is a bug - *if* it is allowed it must be possible to select when partition is created.
As for p.3 - I did it in the past so in general it should work. There could be arbitrary problems using new shiny tools, so YMMV. Unfortunately this will remain so until someone actually spends time and efforts to build and debug such configuration. ok, looks like i have to give it another shot. but somehow i didn't even get a password prompt at bootup for decrypting the disks when i manually created the luks volume on the software raid, although the installer played just fine with the configuration.
It could be unrelated issue, I remember bug reports about missing password prompts. It could also be that installer did not add necessary modules to initrd. This needs investigation.
do you remember what configuration worked for you? raid -> luks -> lvm -> btrfs?
Yes, I believe so. Actually I became curious ... I think I'll try with Leap 42.2 now. :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
04.01.2017 19:08, Andrei Borzenkov пишет: ...
It could be unrelated issue, I remember bug reports about missing password prompts. It could also be that installer did not add necessary modules to initrd. This needs investigation.
do you remember what configuration worked for you? raid -> luks -> lvm -> btrfs?
Yes, I believe so. Actually I became curious ... I think I'll try with Leap 42.2 now. :)
Well, I get "Failed to start systemd-cryptsetup@luks.service - no such file or directory" so it indeed looks like missing dracut modules. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
04.01.2017 19:54, Andrei Borzenkov пишет:
04.01.2017 19:08, Andrei Borzenkov пишет: ...
It could be unrelated issue, I remember bug reports about missing password prompts. It could also be that installer did not add necessary modules to initrd. This needs investigation.
do you remember what configuration worked for you? raid -> luks -> lvm -> btrfs?
Yes, I believe so. Actually I became curious ... I think I'll try with Leap 42.2 now. :)
Well, I get "Failed to start systemd-cryptsetup@luks.service - no such file or directory" so it indeed looks like missing dracut modules.
This is combination of installer buglet (it does not create /etc/crypttab in this case) and (upstream) dracut bug that completely fails if device is not listed in /etc/crypttab in initrd. Workaround is to mount root (I did it from dracut shell, or live Linux would do), create /etc/crypttab with correct device and re-create initrd. To be more specific, I did - manually create partitions, RAID1 on these partition, LUKS on this RAID, pvcreate on LUKS, vgcreate, lvcreate. @Carlos :) - I had just root, no separate /boot nor swap to save time. - started installer, went into expert partitioner, rescanned disks, edited LV to mount it on root after that installation proceeded normally, including bootloader install, I was greeted with grub2 passphrase request and then initrd failed at initqueue step. I then rebooted, added "rd.break=initqueue", manually did luksOpen, lvm_scan, mount (including sys, dev and proc of course) and chroot. I am not interested enough to pursue it further :) if you are, you may consider at least filing bug report against YaST regarding missing /etc/crypttab. dracut part looks a bit more demanding, although I think I know how it can be fixed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-01-04 20:06, Andrei Borzenkov wrote:
04.01.2017 19:54, Andrei Borzenkov пишет:
04.01.2017 19:08, Andrei Borzenkov пишет: ...
It could be unrelated issue, I remember bug reports about missing password prompts. It could also be that installer did not add necessary modules to initrd. This needs investigation.
do you remember what configuration worked for you? raid -> luks -> lvm -> btrfs?
Yes, I believe so. Actually I became curious ... I think I'll try with Leap 42.2 now. :)
Well, I get "Failed to start systemd-cryptsetup@luks.service - no such file or directory" so it indeed looks like missing dracut modules.
This is combination of installer buglet (it does not create /etc/crypttab in this case) and (upstream) dracut bug that completely fails if device is not listed in /etc/crypttab in initrd. Workaround is to mount root (I did it from dracut shell, or live Linux would do), create /etc/crypttab with correct device and re-create initrd.
To be more specific, I did
- manually create partitions, RAID1 on these partition, LUKS on this RAID, pvcreate on LUKS, vgcreate, lvcreate. @Carlos :) - I had just root, no separate /boot nor swap to save time.
- started installer, went into expert partitioner, rescanned disks, edited LV to mount it on root
after that installation proceeded normally, including bootloader install, I was greeted with grub2 passphrase request and then initrd failed at initqueue step. I then rebooted, added "rd.break=initqueue", manually did luksOpen, lvm_scan, mount (including sys, dev and proc of course) and chroot.
I am not interested enough to pursue it further :) if you are, you may consider at least filing bug report against YaST regarding missing /etc/crypttab.
dracut part looks a bit more demanding, although I think I know how it can be fixed.
whow, thanks for all your effort, but i don't think i want to go through all of this at the moment ;) i'll just choose some setup that's supported for now :) -- Daniel Selinger, CEO Sourcy Software & Services GmbH Feldgasse 97, 3400 Kierling, Austria W: https://sourcy.io E: d.selinger@sourcy.io -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Daniel Selinger -
sdm