Results 1 to 3 of 3

Thread: Cryptsetup - entering a one-time password at boot

  1. #1

    Question Cryptsetup - entering a one-time password at boot

    Hello,
    Is it possible, having different encrypted partitions with the same password, enter them only once during the system boot? Currently, I need to enter the password separately to unlock each partition. I know I can create a LVM, but I do not need it. I would like to encrypt the whole system.
    / with sub-volumes - BTRFS
    swap
    / home - xfs / ext4
    This is available in Fedora or can I do that in openSUSE?
    Regards

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,352
    Blog Entries
    3

    Default Re: Cryptsetup - entering a one-time password at boot

    That is working for me.

    I have an encrypted LVM with root, home, swap.

    Separately, I have an encrypted "ext4" partition, which I mount at "/shared"

    Both use the same encryption key. I am only prompted once for the key.

    Okay, let me modify that. What I just described is correct for one Tumbleweed system.

    On a second Tumbleweed system, I am prompted twice -- the first prompt is by grub (really grub2-efi) so that it can read its boot menu. The second prompt is to provide the key to the kernel. And this second prompt includes both the encrypted LVM and "/shared".

    I do have plymouth installed, but I am using "plymouth.enable=0". I'm not sure whether the encryption key is handled by "plymouth" or by "dracut". My understanding is that either "plymouth" or "dracut" traps the kernel prompt, and in turn asks me for the key. And that software ("dracut" or "plymouth") remembers what key I provided and tries that first for any future encryption attempt. Apparently the encryption for "/shared" is handled before "plymouth" and "dracut" both go away.
    openSUSE Leap 15.1; KDE Plasma 5;

  3. #3
    Join Date
    Sep 2012
    Posts
    4,972

    Default Re: Cryptsetup - entering a one-time password at boot

    Quote Originally Posted by nrickert View Post
    I'm not sure whether the encryption key is handled by "plymouth" or by "dracut".
    Passphrase is cached by either plymouth or systemd-cryptsetup.
    My understanding is that either "plymouth" or "dracut" traps the kernel prompt
    There is no kernel prompt. Everything happens completely in user space. systemd-cryptsetup caches passphrase in kernel keyring; in non-systemd mode dracut tries to call plymouth if available and passphrase is cached by plymouth (daemon). If plymouth is active, it is also used to query for passphrase in systemd mode, so passphrase is cached twice.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •