[opensuse] can you help me encrypt my laptop?
Hello, I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1. The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / ) I know there is a possibility to use an LVM (I'd have to update my forgotten knowledge, though :-) ), BUT - my system / will be on a SSD, while the rest (/home) will be on a normal HD. As far as my searches showed me, it is not an intelligent choice to put an SSD and a normal HD in an LVM... My notes about encrypting a system using Luks are outdated from 2008, when no UEFI, no secure-boot and no GRUB2 existed... I don't know, if boot.crypto still would works, and then I don't know how to tell GRUB2 to use the new initrd that was created during the encryption-process... ( My old procedure was in short: - Install system on the disk where later /home will be - make /home where later / will be - encrypt the now /home and move the system there - encrypt the now / - making crypttab entries and adjust fstab - make a new initrd - tell Grub to use root=dev/mapper/root ) but times have changed... Google did not help me :-( Can you help me to achieve my goal (have unencrypted /boot and encrypted system on SSD and encrypted /home and /swap on HD with only one passphrase at boot)? Thanks for hints, links to uptodate-how-to's... Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
you may want to review this thread https://lists.opensuse.org/opensuse-factory/2015-12/msg00071.html
I know there is a possibility to use an LVM (I'd have to update my forgotten knowledge, though :-) ), BUT
- my system / will be on a SSD, while the rest (/home) will be on a normal HD. As far as my searches showed me, it is not an intelligent choice to put an SSD and a normal HD in an LVM...
So create two VG, one for each disk type. Where is the problem? :) You can also create encrypted partition for /home later, without using YaST (and not using LVM at all). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.03.2016 um 12:16 schrieb Andrei Borzenkov:
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
...
I know there is a possibility to use an LVM (I'd have to update my forgotten knowledge, though :-) ), BUT
- my system / will be on a SSD, while the rest (/home) will be on a normal HD. As far as my searches showed me, it is not an intelligent choice to put an SSD and a normal HD in an LVM...
So create two VG, one for each disk type. Where is the problem? :)
You can also create encrypted partition for /home later, without using YaST (and not using LVM at all).
Oh, oh... So I reinstalled: unencrypted /boot each an encrypted raw on the SSD and the HD each a LVM on those encrypted raws - one subvolume for / on the LVM "system" on the SSD-LVM - a subvolume for swap and one for /home on the HD Now after the first boot I get: GNU GRUB version 2.02 beta2 Minimal bash... grub > That's all. No password question. No booting. I must have done something wrong. But what? Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.03.2016 um 13:05 schrieb Daniel Bauer:
Am 01.03.2016 um 12:16 schrieb Andrei Borzenkov:
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
...
I know there is a possibility to use an LVM (I'd have to update my forgotten knowledge, though :-) ), BUT
- my system / will be on a SSD, while the rest (/home) will be on a normal HD. As far as my searches showed me, it is not an intelligent choice to put an SSD and a normal HD in an LVM...
So create two VG, one for each disk type. Where is the problem? :)
You can also create encrypted partition for /home later, without using YaST (and not using LVM at all).
Oh, oh... So I reinstalled: unencrypted /boot each an encrypted raw on the SSD and the HD each a LVM on those encrypted raws - one subvolume for / on the LVM "system" on the SSD-LVM - a subvolume for swap and one for /home on the HD
Now after the first boot I get: GNU GRUB version 2.02 beta2 Minimal bash... grub >
That's all. No password question. No booting. I must have done something wrong. But what?
One step forward: I just did the complete install again, imported the previous disk-layout, and now I am at least asked for the passphrase. After that the boot menu comes up and then the window changes. I see Loading Linux 4.1.12-default... Loading initial ramdisk ... Beneath is the cursor, not blinking, and nothing more happens... What could be the reason? (My first install - without encryption - worked more or less. So in general leap can run on that computer...) Heeeelp... -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
01.03.2016 15:05, Daniel Bauer пишет:
Am 01.03.2016 um 12:16 schrieb Andrei Borzenkov:
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
...
I know there is a possibility to use an LVM (I'd have to update my forgotten knowledge, though :-) ), BUT
- my system / will be on a SSD, while the rest (/home) will be on a normal HD. As far as my searches showed me, it is not an intelligent choice to put an SSD and a normal HD in an LVM...
So create two VG, one for each disk type. Where is the problem? :)
You can also create encrypted partition for /home later, without using YaST (and not using LVM at all).
Oh, oh... So I reinstalled: unencrypted /boot each an encrypted raw on the SSD and the HD each a LVM on those encrypted raws - one subvolume for / on the LVM "system" on the SSD-LVM - a subvolume for swap and one for /home on the HD
Now after the first boot I get: GNU GRUB version 2.02 beta2 Minimal bash... grub >
That's all. No password question. No booting. I must have done something wrong. But what?
There was a bug in grub2/shim in handling secure boot with encrypted /boot/grub2. It should work when disabling secure boot (in firmware and Linux) when installing, full updating Leap and enabling secure boot again. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Mar 1, 2016 at 4:16 AM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
On Tue, Mar 1, 2016 at 1:32 PM, Daniel Bauer <linux@daniel-bauer.com> wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
you may want to review this thread
https://lists.opensuse.org/opensuse-factory/2015-12/msg00071.html
Several ideas, separate or maybe in combination where possible. 1. Decouple boot so it can be on non-encrypted fs. Reduce the number of root volume snapshots so they aren't ever older than the oldest retained kernel on boot (i.e. if kernels are expired, expire all of their coupled snapshots). I think there are too many snapshots anyway. No one needs to go back six months. Maybe two weeks of snapshots is sufficient for rolling, and maybe just three trees (current and two previous one of which includes the previous kernel) for stable. Really? People want 100 snapshots that also doesn't even include /home? I don't get it. 2. Deprecate installing the bootloader in the Btrfs bootloader pad. It's only 64KiB which is probably the limiting factor for including btrfs and luks in core.img. Use the MBR gap, or BIOS Boot. Those are 1MiB which is enough for include LUKS and an embedded static grub.cfg to ask for passphrase, unlock root, and find the real grub.cfg, then display menu, load kernel and initramfs, done. 3. Support Bootloaderspec, and agree to modify it in a way that includes supporting fully encrypted systems which we arguably need anyway, including boot. 4. In any case, definitely decouple LVM and encryption. There is no good reason why these two things are tied together in the installer. Support plain encrypted partitions for use by a Btrfs root (or any other file system for that matter). I'm really not sympathetic to this idea of preserving the old bootloader in the MBR. You're installing another OS, that OS should install a bootloader in that bootloader's preferred location and ideally automatically include boot entries for the previously bootable OS as well.
So create two VG, one for each disk type. Where is the problem? :)
You can also create encrypted partition for /home later, without using YaST (and not using LVM at all).
I think it's asking a lot for most users to configure this with CLI. Maybe blivet-gui could help make it easier if the installer isn't going to cooperate. But for what it's worth Fedora's installer supports encrypted Btrfs on a partition, not LVM. Granted, they don't offer snapper configured out of the box, and also still (my goodness) don't support /boot on Btrfs (long story). -- Chris Murphy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Mar 18, 2016 at 6:47 AM, Chris Murphy <lists@colorremedies.com> wrote:
2. Deprecate installing the bootloader in the Btrfs bootloader pad. It's only 64KiB which is probably the limiting factor for including btrfs and luks in core.img.
Total unused space is 1MiB minus superblock size. 64KiB is the first superblock location; so there is room for growth beyond it. Actually openSUSE already carries patch that is using this space for environment block (because we cannot write to btrfs). Post-MBR gap is good for clean new install, for legacy it is even smaller. So btrfs is better choice for dual boot on older systems. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/01/2016 05:32 AM, Daniel Bauer wrote:
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
If you encrypted /, how would you reach unencrypted directories under it? Also, if you're really worried about security, you probably want to encrypt swap too. I contains anything that's been saved to memory, including your secret data. Also, is there any point in encrypting /bin etc., that only contains executable data? Generally, all you worry about is /home and swap, as that's where your data will be. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.03.2016 um 13:21 schrieb James Knott:
On 03/01/2016 05:32 AM, Daniel Bauer wrote:
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
If you encrypted /, how would you reach unencrypted directories under it? Also, if you're really worried about security, you probably want to encrypt swap too. I contains anything that's been saved to memory, including your secret data. Also, is there any point in encrypting /bin etc., that only contains executable data? Generally, all you worry about is /home and swap, as that's where your data will be.
Well, since "ever" I have separate partition /boot and an encrypted partition /. This has never been a problem. As much as I know, if you have an encrypted / partition, a separate /home partition is not encrypted, although logically within the /tree... so, why should there be a problem with /boot? Of course swap will be encrypted, too, as everything (except /boot). I think the various /tmp and /var/tmp-files should also be encrypted. Anyway, it easier to encrypt all but /boot, so I don't have to worry about what is and what is not encrypted. However I just tried with an encrypted LVM and it does not boot (s my other post...) :-( -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue 01 Mar 2016 01:31:54 PM CST, Daniel Bauer wrote: <snip>
However I just tried with an encrypted LVM and it does not boot (s my other post...) :-(
Hi Have a read here on what I did for LVM encryption https://forums.opensuse.org/showthread.php/513011-Problem-to-Install-Windows... -- Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890) SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.53-60.30-default up 1 day 8:56, 5 users, load average: 0.35, 0.19, 0.16 CPU AMD A4-5150M @ 2.70GHz | GPU Radeon HD 8350G -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/01/2016 04:21 AM, James Knott wrote:
On 03/01/2016 05:32 AM, Daniel Bauer wrote:
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
If you encrypted /, how would you reach unencrypted directories under it? Also, if you're really worried about security, you probably want to encrypt swap too. I contains anything that's been saved to memory, including your secret data. Also, is there any point in encrypting /bin etc., that only contains executable data? Generally, all you worry about is /home and swap, as that's where your data will be.
With a typical directory structure. you would only need to encrypt /home /tmp /var and swap. Of course if you had a proprietary data directory outside of the normal directory tree you would encrypt that as well. There is little to be gained by encrypting / or any of the other locations where the system is actually installed, although some might make a case for /etc -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-03-01 18:07, John Andersen wrote:
There is little to be gained by encrypting / or any of the other locations where the system is actually installed, although some might make a case for /etc
There is a case indeed :-) For instance, fetchmail can have a default configuration file in there that contains email passwords. Surely other system programs may do similarly. Yes, there is little point in encrypting code, but it is probably easier to encode everything, thus making sure that nothing is forgotten. It also denies another person getting access to the computer to use it. Me, I encrypt a data directory, because it is simpler to do. But perhaps I should protect the entire laptop. Perhaps I would like to do it in firmware, but I don't know how. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlbV1sgACgkQja8UbcUWM1z8DQD/f7SkdXkS4LRGOdx/2VfR++xD 5rcwI4eDCDXOj41q6jQA/imz4AmX2j1j7DSMCioUoNg2KLpVb8g0osL1AxyZzDr6 =nkdu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/01/2016 09:52 AM, Carlos E. R. wrote:
Yes, there is little point in encrypting code, but it is probably easier to encode everything, thus making sure that nothing is forgotten. It also denies another person getting access to the computer to use it.
I think we are pretty much on the same page here. I encrypt /home and a out-of-the-normal-tree data directory which has customer data and proprietary source code from my day job. It might be that some things are in /var and /tmp as well as non-critical passwords to dyndns in /etc. But I want those the machine to boot. My Dyndns would help me track it down if stolen. I want to do just enough to protect the important stuff, and if there happens to be some detritus in /var/ I clean /tmp with a boot time script. There is even a fake /home directory under the mount point where the encrypted /home will be mounted. My theory is give the thief enough to believe they have the machine, while recording things (off site) that help me track it down. But then I'm not in Daniel's line of work. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-01 11:32, Daniel Bauer wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
I think it says that if you intend to use btrfs, because the internal feature for encryption in btrfs is beta, but YaST has since years allowed full system encryption with an LVM that covers /, /home, and swap, with /boot outside.
( My old procedure was in short: - Install system on the disk where later /home will be - make /home where later / will be - encrypt the now /home and move the system there - encrypt the now / - making crypttab entries and adjust fstab - make a new initrd - tell Grub to use root=dev/mapper/root )
but times have changed...
I think it should still work, and in fact, I like it better than the yast/lvm way.
Thanks for hints, links to uptodate-how-to's...
Another method is use firmware encryption. I know that all hard disk support firmware encryption, but the problem is how to start the system. You need that the bios in the computer prompts for the password before it can start to load the system in the hard disk. Linux support for this is scarce. Only some succinct entries in the man page for hdparm. Seek "ATA Security Feature Set" The advantage is that it is really full disk, and that it should work very fast, not using the CPU at all. I don't know of anybody using this in Linux, though. Or that has reported how to do it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Tue, Mar 1, 2016 at 5:23 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2016-03-01 11:32, Daniel Bauer wrote:
Hello,
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
The Installer doesn't let me encrypt / (when clicking "encrypt" a message says it's not possible to encrypt / )
I think it says that if you intend to use btrfs, because the internal feature for encryption in btrfs is beta, but YaST has since years allowed full system encryption with an LVM that covers /, /home, and swap, with /boot outside.
There's no Btrfs encryption yet. The RFC proposal for planned per subvolume encryption hit the Btrfs list about two weeks ago. It's not in the kernel or tools yet. So it should be practical to support /boot on an unencrypted subvolume, where other subvolumes are encrypted.
Another method is use firmware encryption. I know that all hard disk support firmware encryption, but the problem is how to start the system. You need that the bios in the computer prompts for the password before it can start to load the system in the hard disk.
Linux support for this is scarce.
TCP folks should have commissioned an EFI executable to manage OPAL drives a long time ago but what can I say? Not too bright? All UEFI systems could support it. The easy part though is unlocking it in the pre-boot environment. It's non-trivial to support hibernation for these drives. They're pretty much a data only solution rather than bootable solution right now which is too bad.
Only some succinct entries in the man page for hdparm. Seek "ATA Security Feature Set"
That's erasure, not OPAL crypto support.
The advantage is that it is really full disk, and that it should work very fast, not using the CPU at all. I don't know of anybody using this in Linux, though. Or that has reported how to do it.
Drives that support it always have it on, it can't be turned off. Out of the box, they're unlocked, so the DEK is always available without a KEK. But the data on the flash memory itself is always ciphertext. -- Chris Murphy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne úterý 1. března 2016 11:32:23 CET, Daniel Bauer napsal(a):
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
I do this very commonly and without problems. So: There is just one disk, create: 1) unencrypted /boot (ext4) 2) if on UEFI system, unencrypted /boot/efi (fat) 3) encrypted LVM and within it a) / (whatever FS) b) /home (if You like that division, I don't) c) swap There are two disks (e.g. SSD for system): Disk A (e.g. SSD for system): 1) unencrypted /boot (ext4) 2) if on UEFI system, unencrypted /boot/efi (fat) 3) encrypted LVM and within it a) / (whatever FS) b) swap Disk B: 1) encrypted /home (XFS or ext4) Of course, You can decide where to have swap. In any case, as it is not possible to encrypt /, there must be encrypted LVM on disk A. If swap would be on disk B, there would be encrypted LVM containing /home and swap. HTH -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Thanks everybody for the help. My error was that I had only an unencrypted /boot/efi (which I thought would have replaced /boot)... So now I have: sdb (SSD) sdb1: /boot/efi (FAT) sdb2: /boot (EXT2) sdb3: encrypted raw, - within that LVM and within that - / (EXT4) sda (HD) sda1: encrypted raw, - within that LVM and within that - swap - /home (EXT4) at boot the passphrase is asked once and then it boots lightning fast. So now in search to solve the other problems :-) Thanks a lot for the help to everybody! Daniel Am 01.03.2016 um 15:12 schrieb Vojtěch Zeisek:
Dne úterý 1. března 2016 11:32:23 CET, Daniel Bauer napsal(a):
I'd like to have a fully encrypted laptop (all except /boot/ , incl. / and swap) with leap 42.1.
I do this very commonly and without problems. So:
There is just one disk, create: 1) unencrypted /boot (ext4) 2) if on UEFI system, unencrypted /boot/efi (fat) 3) encrypted LVM and within it a) / (whatever FS) b) /home (if You like that division, I don't) c) swap
There are two disks (e.g. SSD for system): Disk A (e.g. SSD for system): 1) unencrypted /boot (ext4) 2) if on UEFI system, unencrypted /boot/efi (fat) 3) encrypted LVM and within it a) / (whatever FS) b) swap Disk B: 1) encrypted /home (XFS or ext4) Of course, You can decide where to have swap. In any case, as it is not possible to encrypt /, there must be encrypted LVM on disk A. If swap would be on disk B, there would be encrypted LVM containing /home and swap.
HTH
-- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
This thread prompted my curiosity so I decided to experiment. Regular readers may recall that I use LVM.. I already have a 13.1 system installed. I used YAst/partitioned to creazte a new LV size 5G, ext4, all defaults, encrypted, format. First time I didn't specify that it should be mounted. It was created OK # blkid /dev/vgmain/C111 /dev/vgmain/C111: UUID="8ed95c21-4b91-4b0c-9352-d3530ba5f8b1" TYPE="crypto_LUKS" I then tried mounting: # mount.crypt -v /dev/vgmain/C111 /mnt/disk NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. This means that you will temporarily need to call umount.crypt(8) rather than umount(8) to get crypto volumes unmounted. Password: (mtcrypt.c:526): keysize=0 trunc_keysize=32 (crypto-dmc.c:167): Using _dev_dm_22 as dmdevice name crypt_activate_by_passphrase: Device or resource busy Well, that wasn't happy. I flutzed around in this area for a bit with no success. I read tha man pages for crypttab and crypttabsetup, but didn't find them easy to understand. Eventualy I went back to Yast and tried to re-run but with a mount point specifcied. That produced a series of errors. So I deleted the LV and started over, this time specifying a mount point. This created an entry in /etc/fstab /dev/mapper/cr_mnt_crypt /mnt/crypt ext4 acl,user_xattr,nofail 0 2 Which isn't what I expected. I wonder what I'll get with another crypt'd LV? That was mounted for me /dev/mapper/cr_mnt_crypt on /mnt/crypt type ext4 \ (rw,relatime,data=ordered) Yes its there, # df -h /mnt/crypt Filesystem Size Used Avail Use% Mounted on /dev/mapper/cr_mnt_crypt 4.9G 11M 4.6G 1% /mnt/crypt It occurs to me that I can convert each and every one of my :Vs to an encrypted LV. Regular readers may also recall that I have many LVs, in fact I've factored out /srv, /opt, /usr/share and much stuff from /home My point here is that I can retrofit encrypted LV within an existing LVM setup. Reading those man pages it looks like I could also convert in place existing LVs, but my understanding is far from complete. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (9)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
Chris Murphy -
Daniel Bauer -
James Knott -
John Andersen -
Malcolm -
Vojtěch Zeisek