Bug 446122

Summary: Root and swap file system (filesystem) encryption support for YaST
Product: [openSUSE] openSUSE 11.1 Reporter: David Bailey <dr>
Component: YaST2Assignee: Arvin Schnell <aschnell>
Status: RESOLVED FEATURE QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P3 - Medium CC: grey-olli
Version: Beta 5   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: Beta-Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description David Bailey 2008-11-18 15:41:16 UTC 
According to bug report #445737 openSUSE 11.1 has been tested for and supports an encrypted root file system through LUKS. However, the process to configure this is manual, tedious, time consuming and error prone.

By allowing the user to encrypt the root and swap file systems (the /home file system can already be encrypted) through YaST during the installation, these manual steps could be averted and the overall user experience improved.

If there is a concern about user confusion with the modified boot process (typing in a password at startup), there could be a warning given to the user if the they select to encrypt the root file system, after which it would be allowed.

By supporting these changes, a user on a laptop could be reasonably assured that his data could not be stolen if the laptop was lost. For justification, see http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO#Why_encrypt_the_root_file_system.3F

Some of the changes which would be required to implement this would be changes to YaST, allowing encryption of the root and swap file systems and changes to how it creates the GRUB menu.lst file when it installs the boot loader.
Comment 1 Arvin Schnell 2008-11-18 16:09:21 UTC 
This issue is already under discussion. But it's a feature and
will not be available in 11.1.
Comment 2 David Bailey 2008-11-19 13:52:16 UTC 
Okay, how do I put it into an "official" feature request that others can vote for so it can be considered for a future release of openSUSE?

Thanks!
Comment 3 Arvin Schnell 2008-11-19 14:03:36 UTC 
It is already discussed (for SLES/SLED) in fate #304470 but external
people cannot access that fate entry.

Maybe the best thing you can do is to ask Andreas Jaeger (e.g. on
opensuse-factory) to request it also for openSUSE.
Comment 4 Olli Artemjev 2009-05-15 01:32:13 UTC 
Well, currently Debian supports entire encription using only install interface (sorry for duplicating below:)

Just my vote - the entire encryption should be supported at installation time in Open SuSE 11.2 .

At least I've installed on pc designated to collocation current debian w/
entire encription and /boot on removable (usb flash) w/o seriouse problems
(short description in Russian here:
http://grey-olli.livejournal.com/320477.html) via installation interface - no
terminal hand made commands intervention required.

I see 3 variants: 

encrypted devices as physical volumes for LVM volume groups.
encryption of LVM logical volumes
just encrypted devices w/o LVM

At least 1st one is easy w/ Debian install now. Hope next SuSE will 've this
easy too, better if all 3 variants. :)