openSUSE 11.1 doesn’t officially support an encrypted root file
system which also means YaST doesn’t allow to create such a setup.
By manually creating an encrypted partition and putting LVM into the
encrypted container it’s however possible to trick YaST into
accepting that as root file system.
In the following example I assume that the system has one harddisk,
/dev/sda. We use a /boot (100MB), swap (500MB), / (4GB) and /usr
(remaining space) partition. For your own setup you have to adapt
the device names and sizes of course.
Start the installation by e.g. booting the openSUSE 11.1
installation DVD. After you’ve selected your language and keyboard
layout switch to a text console (ctrl-alt-f2).
Use e.g. fdisk to create two partitions:
- /dev/sda1, 100MB for /boot
- /dev/sda2, remaining space
Now create and open a LUKS volume on /dev/sda2:
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root
After that create the logical volumes inside the encrypted
container:
pvcreate /dev/mapper/root
vgcreate system /dev/mapper/root
lvcreate -L 500M -n swap system
lvcreate -L 4G -n root system
lvcreate -l 100%FREE -n usr system
Continue the installation, go to the expert partitioner and format
- /dev/sda1 for /boot
- /dev/mapper/system-swap for swap
- /dev/mapper/system-root for /
- /dev/mapper/system-usr for /usr
You may need to order YaST to re-read the harddisk layout in order
for it to display the volume groups.
When the initial installation is nearly finished and counts down
until reboot stop the timer. We need some hacks to tell the initrd
that we need luks. So go to a text console again and mount
the new system and chroot into it:
mount /dev/mapper/system-root /mnt
mount /dev/mapper/system-usr /mnt/usr
mount /dev/sda1 /mnt/boot
for i in dev sys proc; do mount --bind /$i /mnt/$i; done
chroot /mnt
Create /etc/sysconfig/initrd with the following two lines:
root_luks=1
luks=root
in /boot/grub/menu.lst append the following to the kernel command line:
luks_root=/dev/sda2
now run mkinitrd
mkinitrd
it should print ‘luks’ and ‘lvm2’ in the features line
Update: kernel updates will revert the changes to menu.lst. To
prevent that edit /etc/sysconfig/bootloader. Search for _APPEND
variables (DEFAULT_APPEND, FAILSAFE_APPEND) and add
luks_root=/dev/sda2 there as well. Thanks Earl Ruby for that
hint!
log out of the chroot and continue the reboot. If YaST does not
really reboot but uses kexec to directly start the kernel things
won’t work the first time. Just press ctrl-alt-del to perform a real
reboot while it unsuccessfully tries to find the root partition then.
If after a real reboot the initrd still drops you to a shell after a
long timeout instead of prompting for the password use the following
commands to unlock the crypted partition:
cryptsetup luksOpen /dev/sda2 root
vgchange -a y system
then press ctrl-d to continue booting.
Good luck and please don’t blame me for any breakage. I haven’t tried to use this in production either yet.
Both comments and pings are currently closed.
And will this be added to 11.2 installer?
https://features.opensuse.org/305633
When you only ever use a single password, the normal dm-crypt is much faster than LUKS during setup of the crypt mapping.
And if it were not for yast, the LVM indirection could also be saved.
Well, maybe. Chances to have the setup supported (e.g. for distribution upgrade) are much higher when using formats that are already supported and can easily be detected though.
Works before leaving language/keyboard layout screen when you “modprobe dm-crypt” and “modprobe aes”. Doing it a screen later locked the disk device for some reason.
Additional note for those trying it: Beware of kernel updates. The luks_root option seems to get lost so check your menu.lst before rebooting:
https://bugzilla.novell.com/show_bug.cgi?id=490045
Since the latest kernel update my system is not booting anymore even after restoring menu.lst. Is it possible that the order of loading necesary files changed?
You can’t use the old menu.lst as the file name of the kernel has changed. You just need to add the luks_root=/dev/sda2 parameter in the new file again.
Sorry i think I expressed myself here a bit unprecise. I did not use the initial menu.lst instead I edited the newly created menu.lst file with the reference to the new kernel and added luks_root=/dev/sda3 (in my case) and luks=root. Still after the reboot I’m no more prompted for th eluks password
You need to re-add it to menu.lst and re-run mkinitrd. If you updated your kernel and then rebooting failed, boot off the SUSE Live CD disk, fire up Gnome Terminal, and:
cryptsetup luksOpen /dev/sda2 root
Enter decrypt password. Then:
mount /dev/mapper/system-root /mnt
mount /dev/mapper/system-usr /mnt/usr
mount /dev/sda1 /mnt/boot
for i in dev sys proc; do mount --bind /$i /mnt/$i; done
chroot /mnt
Add “luks_root=/dev/sda2” to /boot/grub/menu.lst, then re-run mkinitrd.
To keep kernel updates from messing up your system again, add the string “luks_root=/dev/sda2” to the end of the DEFAULT_APPEND and FAILSAFE_APPEND lines in /etc/sysconfig/bootloader.
I can confirm that this is the only necesary change. My problem arose because I added an additional grub item and I forgot to specify the initrd. Beginner error sorry.
Hi,
can you explain a bit more in detail why
Create /etc/sysconfig/initrd with the following two lines:
root_luks=1
luks=root
is necesary and what it is doing. Is it just necesary for the making of the new initrd or also during the startup?
it’s a hack to trick mkinitrd into using luks (root_luks=1) for the device in the variable ‘luks_root’ (due to luks=root). See /lib/mkinitrd/scripts/setup-luks.sh
One step you need to add: People need to modify the /etc/sysconfig/bootloader configuration file and add the string “luks_root=/dev/sda2” to the end of both the DEFAULT_APPEND and FAILSAFE_APPEND lines, otherwise the next time the system updates the kernel it will not include this setting in /boot/grub/menu.lst file and the system fail to boot.