Results 1 to 9 of 9

Thread: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

  1. #1

    Question Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    I'm testing out Leap 42.1 RC1 and I've setup an encrypted partition containing LVM, which contains my regular partitions, including /boot. On boot, Grub2 asks me for my encryption password, then I get the boot menu, and then during boot I get asked for the password again.

    I've done some searching and it looks like the trick is to use a keyfile to unlock the partition. But all of the instructions I've seen require mkinitcpio (http://www.pavelkogan.com/2014/05/23...sk-encryption/), but this tool isn't part of the distribution.

    How can I get it so that only Grub2 is asking for the password?

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,616
    Blog Entries
    3

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by quantamm View Post
    ..., including /boot.
    That's why you have to enter the password twice. The first is so that grub2 can see "/boot", while the second is so the kernel can read the LVM.

    I don't know of a way to avoid this, other than having a separate unencrypted "/boot"
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by nrickert View Post
    That's why you have to enter the password twice. The first is so that grub2 can see "/boot", while the second is so the kernel can read the LVM.

    I don't know of a way to avoid this, other than having a separate unencrypted "/boot"
    Actually, if you take a look at the link I provided, you'll see that he managed to get it working (on ArchLinux and Linux Mint) by including the key in the initramfs. But he uses mkinitcpio (and on another page he links to, he uses mkinitramfs). Neither of these tools are available in Leap, so I'm trying to figure out the Suse way of doing this.

    I think all I really need is the ability to add a file to the initramfs/initrd, but I haven't been able to find any documentation on how to do that.

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,616
    Blog Entries
    3

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by quantamm View Post
    I think all I really need is the ability to add a file to the initramfs/initrd, but I haven't been able to find any documentation on how to do that.
    The "initrd" on opensuse is publically readable. So anyone with access to the system could extract that file.

    The "initrd" itself is a compressed CPIO archive. I suppose you could unpack it to a directory, add the file, pack it up and compress it, and make sure that you set it to be readable only by root. If that works when done manually, you could probably come up with a script to automate it.

    I have one installation of Tumbleweed done with "/boot" in the encrypted LVM. But I think I prefer to enter the encryption key twice.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5
    Join Date
    Sep 2012
    Posts
    5,127

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by quantamm View Post
    How can I get it so that only Grub2 is asking for the password?
    There is no interface between bootloader and linux kernel to pass password (it is supported by e.g. FreeBSD kernel); you can of course stuff it into kernel command line but you probably do not want to do it.

  6. #6

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by nrickert View Post
    The "initrd" itself is a compressed CPIO archive. I suppose you could unpack it to a directory, add the file, pack it up and compress it, and make sure that you set it to be readable only by root. If that works when done manually, you could probably come up with a script to automate it.
    Bingo!

    Okay, so you can't directly add files to the initrd using cpio because of the 10MB file, cpio will only extract a few KB worth of files. There's other stuff in there that cpio can't see. And since you can't extract it, you can't pack it back into a new initrd.

    I did some digging on mkinitrd and discovered that it's nothing more than a script that calls Dracut. And Dracut allows you to install arbitrary files into the initrd. The solution I came up with is to modify the mkinitrd script so that it tells Dracut to include the keyfile. Of course, if mkinitrd ever gets updated, then my changes will be overwritten and I'll start getting the dual password prompt again.

    So what I did is in mkinitrd, I replaced the dracut_cmd line with:

    Code:
    dracut_cmd="dracut --install /path/to/my/keyfile

  7. #7
    Join Date
    Sep 2012
    Posts
    5,127

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by quantamm View Post
    Okay, so you can't directly add files to the initrd using cpio because of the 10MB file, cpio will only extract a few KB worth of files. There's other stuff in there that cpio can't see.
    Code:
    /usr/lib/dracut/skipcpio /boot/initrd | xzcat | cpio -itv
    Of course, if mkinitrd ever gets updated, then my changes will be overwritten
    Code:
    echo 'install_items+=" /path/to/my/keyfile "' > /etc/dracut.conf.d/99-my-keyfile.conf
    I'm not sure how having your keyfile in initrd helps without also having code to use this keyfile, but if it works for you - great.

  8. #8

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by arvidjaar View Post
    I'm not sure how having your keyfile in initrd helps without also having code to use this keyfile, but if it works for you - great.
    /etc/crypttab points to the keyfile. If you're interested, take a look at the link I included in my original post. The instructions are the same, except for the initrd/initramfs stuff.

  9. #9
    Join Date
    Sep 2012
    Posts
    5,127

    Default Re: Asked for Encryption Password Twice on Boot (Full Disk Encryption)

    Quote Originally Posted by quantamm View Post
    /etc/crypttab points to the keyfile.
    Ah, OK, that makes sense.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •