A Guide to an Encrypted Cosmic Gecko

07 Jun, 2026

Lately I installed Fedora Cosmic, with LUKS2 encryption, secure boot et al. It was an excellent learning experience, but it also involved some manual actions during installation. I remembered OpenSuse offered this whole setup integrated in the installer, with only the Cosmic Desktop to be added. This guide describes all that, from ISO to Desktop, and how to get there. Have fun!

First off: get the full DVD iso of Tumbleweed from here:

https://get.opensuse.org/tumbleweed/#download

Burn and boot the iso and press Next to begin.

In the Network Settings choose the appropriate adapter. For me the wifi adapter was not recognized, but we can add that manually:

Add
Device Type: Wireless
And then fill in your SSID name, choose WPA-PSK ("home") and enter the Password; Next

On the Hostname/DNS tab you can adjust some things to your liking. For me that was:

Fill in a Static Hostname
Set Hostname via DHCP: no; Next

Network Settings will be activated and we will roll into the next part:

Select a System Role for your system. Since we will be adding the Cosmic desktop to our system we'd like to start out as lean as possible and choose:

Server

Suggested Partitioning

We see a setup that, in general, will work well. I suggest to accept it, but we still have two changes to make before that:

get rid of the swap partition (we'll be using zram later on)
enable LUKS2 encryption

So go to:

Expert Partitioner - Start with Current Proposal
Select both the root btrfs (/) and swap partition and delete them, leaving you with only the EFI System Partition.
Select the free space created on your disk (either /dev/sd* or /dev/nvme0n1*) and press Add Partition
Accept the Maximum Size, change Role to Operating System
Leave the Formatting Options as is, but do select Encrypt Device and choose LUKS2 Encryption and enter the Encryption Password.

As you can see in the layout swap is gone, the btrfs subvolumes are back and we know both full disk encryption and snapshots have been enabled. Accept and press Next to:

Select Clock and Time Zone

After that you'll be in the Local Users screen:

Create New User
If checked deselect Automatic Login

After pressing Next we see the Installation Settings. Remember we chose the Server preset, so:

secureboot, firewall, SELinux, ssh service will all be started
systemdboot is used for booting

Press next to start the install and automatic reboot

In the systemdboot screen you can already see the first snapshot being available and, if all went well, you'll be greeted by the Tumbleweed decryption dialog box.

sudo su, enter the password and get into the root prompt
'usermod -a -G wheel,video,audio {USER}
type 'sudo nmtui' to select and activate the network connection you'd like to use
'ping -c 3 voidlinux.org' to test.

All good? Let's go!

'sudo zypper dup'
Populate the package db, connect to all repositories and update if necessary.

Because we'd like to touch on all available packages and repos we'll install opi (OBS Package Installer).

OBS is the Open Build Service, where all OpenSuse packages are built.

Caution:

Opi is comparable to yay or paru on ArchLinux, it searches across all available repo's and packages. Including very old and stale ones or from users, that you probably don't know. I use opi to find and install latest versions in various official OpenSuse build streams, not from random users.

For example: I like to use doas/opendoas.

If I do a 'zypper in doas' I get a 'no package found' reply back

If I do a 'opi doas' I get multiple results.

When I choose the option 'doas' I get a repo result in red, indicating it is a user repository.
When I select opendoas I get a repo result in blue, which leads me to security@build.opensuse.org as source repo.

That's my preferred one. In the end I'm asked if I like to keep the repo 'security'. Of course! Then I give myself the power of doas:

'sudo nano /etc/doas.conf' and add 'permit nopass keepenv {USER}'

Let's check if it works:

'doas zypper in fastfetch'

Now for two OpenSuse additions:

'opi codecs' which will let you select (and later keep) the Packman repository and install all proprietary codecs for you.

Packman is a community maintained repository, which mostly provides codecs and other proprietary software, which can't be included by default in the OpenSuse distribution

Second: our zram swap:

'doas zypper in systemd-zram-service'
'doas systemctl enable --now zramswap.service'

If you run fastfetch now you will see a swap amount mentioned.

Now for installing Cosmic onto our lean base:

Add the necessary repositories:

'doas zypper addrepo --refresh https://download.opensuse.org/repositories/X11:COSMIC:Next/openSUSE_Factory/X11:COSMIC:Next.repo'

Then update your database:

'doas zypper refresh'

If you wish to install a full cosmic desktop:

'doas zypper in patterns-cosmic-cosmic'

For minimal setup (Firefox & minimal cosmic desktop components):

'doas zypper in patterns-cosmic-basic'

This is a very basic setup, without many of the Cosmic applications, like the Cosmic Store, but you can add them all later on.

And finally:

'doas systemctl enable cosmic-greeter.service'

After reboot and login:

Due to the enormous amount of default snapshots I suggest reading up on Snapper and its configuration. You can find that over here: https://wiki.archlinux.org/title/Snapper

You can then 'doas nano /etc/snapper/configs/root' and adjust to your personal prefs.

For example: my limits are set to 1 to 8, and important ones from 1 to 3. My Timeline limits are Daily=3, Weekly=1 and Monthly=5.

Enjoy Tumbleweed Cosmic!

Feel free to use these builds and dots as you like. I do not, however, imply any form of support or ongoing maintenance. And of course, you use them entirely at your own risk.