action #128696
Updated by lnussel almost 2 years ago
On fist boot, before any credentials such as ass passwords or ssh keys are created, offer a way to encrypt the full hard disk. Manual steps to do that: boot microos image from https://download.opensuse.org/repositories/devel:/microos:/systemd-boot:/release/images/ in a VM. Finish first boot wizard, then log in as root. update initrd to include cryptsetup: dracut --add-drivers dm-crypt -a crypt -I /usr/sbin/cryptsetup -f /boot/efi/opensuse-microos/*/initrd-* resize file systems (FIXME: figure out proper amount): btrfs filesystem resize 2G /root btrfs filesystem resize 2G /var reboot telling systemd-boot to show the menu: systemctl reboot --boot-loader-menu=3 In the menu press 'e' and append the following command line: rd.break=pre-mount The system will drop into emergency mode. Enter root password. Then reencrypt the root device: echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda3 echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda4 Open the new luks device and mount it: cryptsetup open /dev/vda3 cr_root mount -o rw /dev/mapper/cr_root /sysroot Change root volume to read-write, create crypttab, switch to ro again btrfs prop set -t s /sysroot ro false echo cr_root /dev/vda3 none x-initrd.attach > /sysroot/etc/crypttab echo cr_var /dev/vda4 none x-initrd.attach >> /sysroot/etc/crypttab btrfs prop set -t s /sysroot ro true mount -o remount,ro /sysroot Open and mount /var cryptsetup open /dev/vda4 cr_var mount /dev/mapper/cr_var /sysroot/var Exit the shell, system should continue to boot When booted, log in as root and rebuild initrd so it finds the luks devices dracut -f /boot/efi/opensuse-microos/*/initrd-*