Results 1 to 9 of 9

Thread: full disk encryption and entering twice the password to boot system

  1. #1

    Default full disk encryption and entering twice the password to boot system

    Hello,

    I want to install Opensuse 42.3 and use fulll disk encryption. I already installed opensuse in Virtualbox, but now I have to must enter password twice to boot system. How can I change this during the installation?

  2. #2

    Default Re: full disk encryption and entering twice the password to boot system

    I will state I don't use VirtualBox.

    If the BIOS is UEFI then the first password is to decrypt /boot/efi
    The second is to decrypt the rest of the partitions.

    I assume if the bios is not UEFI, but the /boot is on its own partition it would be for the same reason.

  3. #3
    Join Date
    Sep 2012
    Posts
    7,091

    Default Re: full disk encryption and entering twice the password to boot system

    Quote Originally Posted by smily01 View Post
    How can I change this during the installation?
    By placing /boot/grub2 and sub-directories on non-encrypted filesystem. Actually this should even enable snapper rollback ... although I have never tried it and I am not sure how yast behave in this case. Try and tell us

    Quote Originally Posted by d3vnull View Post
    If the BIOS is UEFI then the first password is to decrypt /boot/efi
    This just demonstrates how confusing words "full disk encryption" are without actually explaining what had been done and how this encryption is implemented. I'm pretty sure that the first prompt is from grub2 to access /boot/grub2.

  4. #4

    Default Re: full disk encryption and entering twice the password to boot system

    Hello,

    Thank you for your answers! I ask this question because the system doesn't asks me to enter the password twice when I'm using Debian or Ubuntu. I also installed Opensuse on my hard disk and then I also have to enter the password twice.

  5. #5
    Join Date
    Sep 2012
    Posts
    7,091

    Default Re: full disk encryption and entering twice the password to boot system

    Quote Originally Posted by smily01 View Post
    the system doesn't asks me to enter the password twice when I'm using Debian or Ubuntu
    It does not ask me even once on all of my openSUSE VMs. Again - unless you tell us what you actually did during installation all that you get will be wild guesses.

  6. #6

    Default Re: full disk encryption and entering twice the password to boot system

    Fair enough. I stand corrected.I never actually looked at how the /boot/efi was setup in the default full disk encryption setup. What I get for assuming.

    Quote Originally Posted by arvidjaar View Post
    By placing /boot/grub2 and sub-directories on non-encrypted filesystem. Actually this should even enable snapper rollback ... although I have never tried it and I am not sure how yast behave in this case. Try and tell us


    This just demonstrates how confusing words "full disk encryption" are without actually explaining what had been done and how this encryption is implemented. I'm pretty sure that the first prompt is from grub2 to access /boot/grub2.

  7. #7

    Default Re: full disk encryption and entering twice the password to boot system

    Hum...re-reading this. Are you saying snapper rollback does not function under the "default" way of installing full disk encryption?

    Quote Originally Posted by arvidjaar View Post
    By placing /boot/grub2 and sub-directories on non-encrypted filesystem. Actually this should even enable snapper rollback ... although I have never tried it and I am not sure how yast behave in this case. Try and tell us


    This just demonstrates how confusing words "full disk encryption" are without actually explaining what had been done and how this encryption is implemented. I'm pretty sure that the first prompt is from grub2 to access /boot/grub2.

  8. #8
    Join Date
    Sep 2012
    Posts
    7,091

    Default Re: full disk encryption and entering twice the password to boot system

    Quote Originally Posted by d3vnull View Post
    Hum...re-reading this. Are you saying snapper rollback does not function under the "default" way of installing full disk encryption?
    Of course it does, but then you are prompted twice (at least). Actually sorry, I was wrong. Even if /boot/grub2 will be on unencrypted filesystem, grub still needs to read kernel so it must have access to /boot. And moving /boot outside of (encrypted) root will disable rollback.

  9. #9
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,664
    Blog Entries
    3

    Default Re: full disk encryption and entering twice the password to boot system

    Quote Originally Posted by smily01 View Post
    How can I change this during the installation?
    If you use a separate unencrypted "/boot", then you won't have to enter the password twice.

    However, if you are using "btrfs" for root file system, then a separate boot is not recommended. You might loose the ability to boot from an older snapshot.

    As for why you are prompted twice:

    The first prompt is by "grub2". It needs the password to be able to read "/boot/grub2/grub.cfg", where the boot menu is defined.

    The second prompt is by the kernel, though passed to you via plymouth/dracut, etc. The kernel needs to password to make the encrypted file system available while the system is up and running.

    There isn't any secure way, as far as I know, for grub2 to communicate the password to the kernel.

    For the record:

    I am entering the encryption password once for 42.3, because I have a separate "/boot".
    I am entering it twice for Leap 15.0 (now a release candidate), where I do not have a separate "/boot".

    I've become used to entering twice. I don't find it such an annoyance anymore.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •