Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Boot encrypted root (encrypted boot)

  1. #1
    Join Date
    Mar 2010
    Location
    West Germany / Deutschland
    Posts
    8

    Default Boot encrypted root (encrypted boot)

    Hi,
    my system configuration looks like this:
    Code:
    sdb                8:16   0 931,5G  0 disk  
    ├─sdb1             8:17   0   499M  0 part  /boot/efi
    ├─sdb2             8:18   0   100M  0 part  (Windows bull****)
    ├─sdb3             8:19   0 540,3G  0 part  (Windows)
    ├─sdb4             8:20   0    16M  0 part  (some more bull**** windows created)
    └─sdb5             8:21   0 390,6G  0 part  
      └─cr       254:0    0 390,6G  0 crypt 
        ├─root 254:1    0  28,6G  0 lvm   /
        └─home 254:2    0   362G  0 lvm   /home
    So I have a efi grub which should decrypt boot (on root), that is working, but then the system is querying me again for the password.
    I tried to add a keyfile and place it in boot and put it into the fstab / crypttab and also into the initramfs (which should be safe because the initram fs is located on the encrypted boot).
    (tried to add this to dracut.conf install_items+="/boot/crypt.key")

    After that I created a new initramfs, but it still does not work. Do you have some suggestions on what I have to change to get it run?

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Boot encrypted root (encrypted boot)

    I don't know why that isn't working. I'll just clarify a different point.

    The first prompt for an encryption key is by "grub2", so that it can read the boot menu. The second prompt is by the system (the running kernel).

    I have one of my systems working that way, and I just enter the encryption key twice. I have not tried what you are doing. Maybe I should experiment with that.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Boot encrypted root (encrypted boot)

    Here's something to check.

    You should be able to use "lsinitrd" to see whether your file "/boot/crypt.key" is in the "initrd".
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Boot encrypted root (encrypted boot)

    Quote Originally Posted by susnux View Post
    I tried to add a keyfile and place it in boot and put it into the fstab / crypttab and also into the initramfs (which should be safe because the initram fs is located on the encrypted boot).
    (tried to add this to dracut.conf install_items+="/boot/crypt.key")
    Okay, I have this working.

    NOTE: I tested with Leap 15.0 (not yet released, but release candidate is available). I did not test with Leap 42.3. My reason for testing with Leap 15.0, is that I already have most of the setup for that in place in a VM (virtual machine).

    I needed to use:
    Code:
    install_items+=" /boot/crypt.key "
    Note the space at the start and end of the quoted string.

    I did not put that in "dracut.conf". Rather, I put it in "/etc/dracut.conf.d/50-crypt.conf" (a new file that I had to create).

    For the Luks encryption key: I created a new key which I put in "/boot/crypt.key". And then I used
    Code:
    cryptsetup luksAddKey /dev/sda3 /boot/crypt.key
    to add that key.

    I later tried using that key (not the file, but the key that is in the file) with "cryptsetup" for testing manual setup. And it did not work. My conclusion: The newline character at the end of that "crypt.key" file is being used as part of the key. So it did not work manually, because I entered the key without that newline.

    I later tried replacing what is in "crypt.key" with the key that I usually type in. But I did it so that the file does not end with a newline. (I used "echo -n" with "csh" as my shell to do that). I then ran "mkinitrd" to rebuild the "initrd" and it still worked.

    My guess is that you are running into one or both of the same issues:
    • the need for spaces around the file path to add to the initrd
    • the issue of whether the line terminator in your "crypt.key" is being used as part of the key.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  5. #5
    Join Date
    Sep 2012
    Posts
    7,108

    Default Re: Boot encrypted root (encrypted boot)

    Quote Originally Posted by nrickert View Post
    • the issue of whether the line terminator in your "crypt.key" is being used as part of the key.
    That does not really matter as long as you use the same file in all cases. What matters, initrd must be told to actually use this key file for decryption. It may be provided in /etc/crypttab (in which case it must be also present in root /etc/crypttab) or using rd.luks.XXX options (like rd.luks.key) but it needs to be present.

  6. #6
    Join Date
    Mar 2010
    Location
    West Germany / Deutschland
    Posts
    8

    Default Re: Boot encrypted root (encrypted boot)

    @nrickert:
    Yes! :-)
    For me adding the spaces solved the issue.
    Thank you very much!

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Boot encrypted root (encrypted boot)

    Quote Originally Posted by susnux View Post
    @nrickert:
    Yes! :-)
    For me adding the spaces solved the issue.
    Thank you very much!
    I'm glad you have it working.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  8. #8

    Default Re: Boot encrypted root (encrypted boot)

    Just installed Opensuse leap 15 last night. I am a new user to OpenSuse but would rate myself a intermediate user of most of debian/ubuntu. I believe I have the same issue.

    I got some key differences than OP: I'm using leap 15 instead of 42.3, there are more password prompts than encrypted partitions (three encrypted partitions courtesy of LVM, about 4-5 password prompts) and am a little unclear of how to do the solutions presented in that thread.

    A question about the solutions:

    nrickert
    I did not put that in "dracut.conf". Rather, I put it in "/etc/dracut.conf.d/50-crypt.conf" (a new file that I had to create).
    Why should this matter? Did it just fail to generate this file? Otherwise how will it know to look here?

    Thanks!

  9. #9
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: Boot encrypted root (encrypted boot)

    Quote Originally Posted by NotCras View Post
    Just installed Opensuse leap 15 last night. I am a new user to OpenSuse but would rate myself a intermediate user of most of debian/ubuntu. I believe I have the same issue.

    I got some key differences than OP: I'm using leap 15 instead of 42.3, there are more password prompts than encrypted partitions (three encrypted partitions courtesy of LVM, about 4-5 password prompts) and am a little unclear of how to do the solutions presented in that thread.

    A question about the solutions:

    nrickert

    Why should this matter? Did it just fail to generate this file? Otherwise how will it know to look here?

    Thanks!
    Hi, welcome to these forums. I'm not very familiar with disk encryption, but I've got some advice on data others that do have the knowledge are going to ask. Given yiour knowledge of debian based distros, provide as much 'real' info, i.e. output, either here, between CODE tags, either on paste.opensuse.org with a link here.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Boot encrypted root (encrypted boot)

    Quote Originally Posted by NotCras View Post
    I got some key differences than OP: I'm using leap 15 instead of 42.3, there are more password prompts than encrypted partitions (three encrypted partitions courtesy of LVM, about 4-5 password prompts) and am a little unclear of how to do the solutions presented in that thread.
    I'm not sure how you did that.

    For me, I have one encrypted partition used for the LVM, with several volumes inside.

    If you combined several encrypted partitions to form an LVM, then each of those has to be decrypted to access the LVM. If grub2 needs to read the LVM, then I suppose it needs to decrypt all of the partitions. I've never tried that. But if it asks for the password several times, you might be stuck with that.

    Why should this matter?
    That's asking about part of my earlier answer (which forum software does not requote).

    I don't know that it does matter. I just included full details of what I did.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •