System Encrypted but have to supply password again for MD Raid

Hi all,

I followed this tutorial to encrypt my entire installation:

SDB:Encrypted root file system - openSUSE

It worked splendidly and whoever wrote it should get a lifetime supply of beer.

After I got the install encrypted I made a RAID 1 array of 2 1GB disks and encrypted that as well. They are used for a data repository.

mdadm --examine --scan

ARRAY /dev/md/0 metadata=1.0 UUID=54071d0d:a46ace4d:2908f92d:f4c60b41 name=linux:0

My menu.lst looks like this:

kernel /vmlinuz-2.6.37.1-1.2-desktop root=/dev/mapper/root luks_root=/dev/sda5 luks_swap=/dev/sda3 luks_home=/dev/sda6 luks=“root swap home” resume=/dev/disk/by-id/ata-Hitachi_HDS721010CLA332_JP2921HQ1D4DMA-part3 splash=silent quiet showopts vga=0x365

When the machine boot up it asks for a passphrase and when it’s provided it unlocks root, swap and home in one fell swoop. Later on in the boot it asks for my password again for the RAID array. It’s the same password and I was wondering if there is some way to get it so I don’t have to enter the same password a second time.

I tried doing all kinds of things to the menu.lst boot options:

I added this: luks_backup=/dev/md0 to this:
root=/dev/mapper/root luks_root=/dev/sda5 luks_swap=/dev/sda3 luks_home=/dev/sda6 luks=“root swap home” <- added backup here as well.

I added this: luks_backup=/dev/md0 md=0,/dev/sdc1,/dev/sdf1 with no luck.

I ran mkinitrd after all changes and nothing worked.

When booting it says it’s waiting for backup…

and then it says access denied or the volume isn’t ready and that’s it.

Can anybody help me with this? I’d like to be able to put the password in once and have ALL the devices unlocked. It’s does it with the system partitions so, I figure, it should be able to do it with one more drive.

I’ve been using Opensuse for about 5 years now and love it. Any suggestions are greatly appreciated. It’s certainly a constant learning experience.

Specs:
OS Opensuse 11.4 Fresh install for about a week now. Previous edition: 11.2
All the default programs that come with a fresh install including KDE 4.6
Installed on a 1GB Hitachi Sata 2 drive.

Well you have encrypted 2 things it needs 2 passwords.

Actually, I’ve encrypted 4 things. Maybe I should be putting in 4 passwords.

Root
Swap
Home
RAID

No you put a lock on root Swap home in one operation you put a lock on RAID in another. You need 2 keys for the 2 locks. It might have worked if you had added the RAID before you encrypted.

Sorry but that doesn’t make any sense. If you look at the article I quoted it shows the procedure. I encrypted swap first. Then I encrypted home…but it turned out to be root. I copied root into home, ran mkinitrd and added the code to menu.lst. That could be considered one “operation”, as you said. THEN I rebooted entered the passphrase, logged in as root and made sure it was working. After that I set up and encrypted the home directory. This could be considered a second “operation” as I had rebooted before, right? By your logic I should have had to enter 2 passwords the next time I booted. One for root/swap and one for home right since they had been done in two “operations”?

I think, if anything, it has to do with how Suse loads drivers and you have to call the module that loads the raid in menu.lst or some other way. Anyway, not expecting to get this solved.

Yeah, I figured it out…well another way to do it, anyway.

If you’re interested here’s a great article on how it can be done in another way:

Setting up an encrypted Debian system

I figured that the root partition is encrypted already so I could store a randomly created key in the directory in etc as the author advised. The system boots; I provide the passphrase; the root partition is unlocked; and the passphrase in the directory /etc/keys/ is read to the the raid array and WHAMMO, it’s unlocked. I don’t have to enter two passwords.

I also found out why it couldn’t be done the way I wanted to do it. If you’re interest look up the noearly entry for crypttab. And if you’re running an encrypted raid array then you had better add noearly to the 4th column in crypttab.

Thanks all, and I’s is out.

P.S. I guess I’m not a “puzzled penguin” as much as some of the people around here.

On 2011-03-23 07:06, kirm wrote:
>
> Yeah, I figured it out…well another way to do it, anyway.
>
> If you’re interested here’s a great article on how it can be done in
> another way:
>
> ‘Setting up an encrypted Debian system’
> (http://madduck.net/docs/cryptdisk/)
>
> I figured that the root partition is encrypted already so I could store
> a randomly created key in the directory in etc as the author advised.
> The system boots; I provide the passphrase; the root partition is
> unlocked; and the passphrase in the directory /etc/keys/ is read to the
> the raid array and WHAMMO, it’s unlocked. I don’t have to enter two
> passwords.

Ah, yes, I thought this was mentioned in the wiki page. But I didn’t know
about that directory - what filename do you use, or better, is this
explained on some man page? Ah, yes, the link to doc you mention above. I
see…

> I also found out why it couldn’t be done the way I wanted to do it. If
> you’re interest look up the noearly entry for crypttab. And if you’re
> running an encrypted raid array then you had better add noearly to the
> 4th column in crypttab.

You mean that the array is not setup early, it needs a init script, so it
has to be skipped at the time the password is given? Mmmm…

>
> Thanks all, and I’s is out.
>
> P.S. I guess I’m not a “puzzled penguin” as much as some of the people
> around here.

Ha, those names depend on the number of posts you write, not your
experience. And some, like me, do not see them, because we access via nntp.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2011-03-23 07:06, kirm wrote:
>
> Yeah, I figured it out…well another way to do it, anyway.

Forgot to mention, another source of information is the security mail list.
We discussed how to do what you have done; the normal yast solution is to
put all the partitions under a LVM setup, and then, you only need one
password for the LVM setup; partitions are inside.

> http://lists.opensuse.org/opensuse-security/2010-10/msg00000.html

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Hmm will LVM work with some RAID and some not RAID?

Thanks Carlos,

Yeah, I’d read that article and didn’t see how it applied to me until now. Good subject but whoever suggested removing this page: SDB:Encrypted root file system - openSUSE in that article should be whipped with a wet noodle. Not all of us want to use LVM. The way outlined works perfectly well if you take the time to read it carefully, have some patience and apply it to your release. I’m sure it could be used for any flavor of Linux as well. It’s the broad strokes that count…

About the key name and folder: I followed his suggestion of putting a keys folder in etc because it made sense to me but it could have been put wherever. I named the file after my array md0 and then added the luks tail as he suggested. Again, it wouldn’t have mattered what it was called.

In addition, I left my original key in luks as I thought it would be another way to get to my data if the file in etc became corrupted or was deleted. That whole luks system is an incredible addition to Linux! Very well thought out.

About the noearly entry: I was watching the boot screen roll by when I noticed that the system was unlocked, a bunch of other stuff happened, and THEN the raid was put together and mounted. That’s why I figured you couldn’t use the password you supplied originally and the article you sent showed that. That’s why you have to put noearly in crypttab as well. It’s so it won’t try to unlock the raid before it exists. If you leave noearly out, it won’t cause any issues it just complains about it in the login and even suggests using it. I just did it to get rid of the error messages.

Thanks for your help,

kirm