446604 – Root and swap file system (filesystem) encryption support for YaST

Bug 446604 - Root and swap file system (filesystem) encryption support for YaST

Summary: Root and swap file system (filesystem) encryption support for YaST

Status:	RESOLVED FEATURE

Alias:	None

Product:	openSUSE 11.1
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Factory
Hardware:	Other Other

Priority:	P3 - Medium Severity: Enhancement with 19 votes (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2008-11-19 14:57 UTC by David Bailey
Modified:	2009-05-15 01:28 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Bailey 2008-11-19 14:57:03 UTC

According to bug report #445737 openSUSE 11.1 has been tested for and supports
an encrypted root file system through LUKS. However, the process to configure
this is manual, tedious, time consuming and error prone.

By allowing the user to encrypt the root and swap file systems (the /home file
system can already be encrypted) through YaST during the installation, these
manual steps could be averted and the overall user experience improved.

If there is a concern about user confusion with the modified boot process
(typing in a password at startup), there could be a warning given to the user
if the they select to encrypt the root file system, after which it would be
allowed.

By supporting these changes, a user on a laptop could be reasonably assured
that his data could not be stolen if the laptop was lost. For justification,
see
http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO#Why_encrypt_the_root_file_system.3F

Some of the changes which would be required to implement this would be changes
to YaST, allowing encryption of the root and swap file systems and changes to
how it creates the GRUB menu.lst file when it installs the boot loader.

According to Arvin Schnell, internal fate #304470 states this is a feature under consideration for SLES/SLED, but not openSUSE.

Help us Obi-Wan Kenobi (er... Andreas Jaeger), you're our only hope...

See also Bug 446122: https://bugzilla.novell.com/show_bug.cgi?id=446122

Comment 1 Ludwig Nussel 2008-11-19 15:06:44 UTC

well, there is a feature request. when done it will work for openSUSE too. Not for 11.1 anymore though.

Comment 2 David Bailey 2008-11-19 15:15:25 UTC

Actually, this is for Factory, so we can look forward to it in the future.

Comment 3 Olli Artemjev 2009-05-15 01:28:14 UTC

Just my vote - the entire encryption should be supported at installation time.

At least I've installed on pc designated to collocation current debian w/ entire encription and /boot on removable (usb flash) w/o seriouse problems (short description in Russian here: http://grey-olli.livejournal.com/320477.html) via installation interface - no terminal hand made commands intervention required.

I see 3 variants: 

encrypted devices as physical volumes for LVM volume groups.
encryption of LVM logical volumes
just encrypted devices w/o LVM

At least 1st one is easy w/ Debian install now. Hope next SuSE will 've this easy too, better if all 3 variants. :)