>Most Linux distributions have an option within its installer for enabling LUKS full disk encryption. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after disk partitioning but before filesystem creation.
If you have a live CD and enough spare disk space, you can create a new LUKS partition and dd / filesystem-specific-backup-restore your existing partition into it. You don't have to backup and reinstall.
If you're already using systemd-gpt-auto-generator to auto-detect the root partition, you just have to make sure the new partition has the expected UUID. Depending on your setup you might have to regenerate the initramfs though, say because it didn't already contain `/usr/bin/cryptsetup` etc.
>openSUSE uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId file.
Deleting it will not help since it'll get recreated by the next command that needs it. Empty it instead.
>Encrypted /boot [...]
>- openSUSE uses LUKS1 instead of LUKS2 for encryption.
>- GRUB supports PBKDF2 key derivation only, not Argon2 (the LUKS2 default).
Yes, the first point is because of the second point. There isn't a security difference between LUKS1 and 2 when using PBKDF2, so sticking with LUKS1 means you can't accidentally switch to non-PBKDF2 and end up with an unbootable system. But yes, switching away from grub as the next point talks about is ideal. And if you switch to UEFI boot with UKIs in /efi then you won't need a separate encrypted /boot anyway.
> Deleting it will not help since it'll get recreated by the next command that needs it. Empty it instead.
Interesting. Are you sure about this? The Wiki says it can be deleted and I did not see it coming back during my time with openSUSE. I can check it again later though.
If you have a live CD and enough spare disk space, you can create a new LUKS partition and dd / filesystem-specific-backup-restore your existing partition into it. You don't have to backup and reinstall.
If you're already using systemd-gpt-auto-generator to auto-detect the root partition, you just have to make sure the new partition has the expected UUID. Depending on your setup you might have to regenerate the initramfs though, say because it didn't already contain `/usr/bin/cryptsetup` etc.
>openSUSE uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId file.
Deleting it will not help since it'll get recreated by the next command that needs it. Empty it instead.
>Encrypted /boot [...]
>- openSUSE uses LUKS1 instead of LUKS2 for encryption.
>- GRUB supports PBKDF2 key derivation only, not Argon2 (the LUKS2 default).
Yes, the first point is because of the second point. There isn't a security difference between LUKS1 and 2 when using PBKDF2, so sticking with LUKS1 means you can't accidentally switch to non-PBKDF2 and end up with an unbootable system. But yes, switching away from grub as the next point talks about is ideal. And if you switch to UEFI boot with UKIs in /efi then you won't need a separate encrypted /boot anyway.