action #128696

Updated by lnussel about 1 year ago

On fist boot, before any credentials such as ass passwords or ssh keys are created, offer a way to encrypt the full hard disk. 

 Manual steps to do that: 

 boot microos image from 
 in a VM. Finish first boot wizard, then log in as root. 

 update initrd to include cryptsetup: 

         dracut --add-drivers dm-crypt -a crypt -I /usr/sbin/cryptsetup -f /boot/efi/opensuse-microos/*/initrd-* 

 resize file systems (FIXME: figure out proper amount): 

         btrfs filesystem resize 2G /root 
         btrfs filesystem resize 2G /var 

 reboot telling systemd-boot to show the menu: 

         systemctl reboot --boot-loader-menu=3 

 In the menu press 'e' and append the following command line: 


 The system will drop into emergency mode. Enter root password. Then reencrypt the root device: 

         echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda3 
         echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda4 

 Open the new luks device and mount it: 

         cryptsetup open /dev/vda3 cr_root 
         mount -o rw /dev/mapper/cr_root /sysroot 

 Change root volume to read-write, create crypttab, switch to ro again 

         btrfs prop set -t s /sysroot ro false 
         echo cr_root /dev/vda3 none x-initrd.attach > /sysroot/etc/crypttab 
         echo cr_var /dev/vda4 none x-initrd.attach >> /sysroot/etc/crypttab 
         btrfs prop set -t s /sysroot ro true 
         mount -o remount,ro /sysroot 

 Open and mount /var 

         cryptsetup open /dev/vda4 cr_var 
         mount /dev/mapper/cr_var /sysroot/var 

 Exit the shell, system should continue to boot 

 When booted, log in as root and rebuild initrd so it finds the luks devices 

         dracut -f /boot/efi/opensuse-microos/*/initrd-*