Results 1 to 6 of 6

Thread: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

  1. #1
    Join Date
    Jun 2008
    Location
    Raleigh, NC
    Posts
    87

    Default Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    Installed from kde live DVD and it finished. The partition setup was chosen by SUSE. No swap. One EFI partition of 300 MB was created with vfat and the remaining disk was one partition, btrfs, encrypted.

    When booting, it asks for passphrase before the grub menu is presented and then again it asks for the passphrase. /etc/crypttab has only one line.

    Is it possible to make it ask only once, since everything is on one partition (no swap) ?

    TIA.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,641
    Blog Entries
    3

    Default Re: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    The problem here, is that grub needs the passphrase in order to get to its boot menu (and the kernel, initrd).

    The kernel needs the passphrase to access the file system.

    There isn't a secure way for grub to pass that along to the kernel.

    There is a workaround that some people have used. You can put a passphrase (or a random string) into a file, and configure that in "/etc/crypttab". And then you have to configure "dracut" to include that file in the "initrd".

    I'm currently doing that in a virtual machine (for testing). On real machines, I am preferring to give the passphrase twice, for better security. If you want details, I can go through how to set that up.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3
    Join Date
    Jun 2008
    Location
    Raleigh, NC
    Posts
    87

    Default Re: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    Quote Originally Posted by nrickert View Post
    The problem here, is that grub needs the passphrase in order to get to its boot menu (and the kernel, initrd).

    The kernel needs the passphrase to access the file system.

    There isn't a secure way for grub to pass that along to the kernel.

    There is a workaround that some people have used. You can put a passphrase (or a random string) into a file, and configure that in "/etc/crypttab". And then you have to configure "dracut" to include that file in the "initrd".

    I'm currently doing that in a virtual machine (for testing). On real machines, I am preferring to give the passphrase twice, for better security. If you want details, I can go through how to set that up.
    It's full disk encryption so...one disk, one passphrase but multiple times having to enter it ! Not good.
    Dell inspiron model I-7375 2 in 1.
    Ryzen 2500U, 8 GB RAM, SATA SSD, Full disk encryption
    Opensuse Tumbleweed (latest)

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,641
    Blog Entries
    3

    Default Re: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    Quote Originally Posted by mvaar View Post
    It's full disk encryption so...one disk, one passphrase but multiple times having to enter it ! Not good.
    That's twice per boot. But how often do you boot?

    Okay, that's for Tumbleweed, so you probably reboot after each update.

    I'm used to giving passphrase twice, and it doesn't bother me. But if you want to try putting it in a file and the "initrd", just ask for details.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5
    Join Date
    Jun 2008
    Location
    Raleigh, NC
    Posts
    87

    Default Re: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    Quote Originally Posted by nrickert View Post
    That's twice per boot. But how often do you boot?

    Okay, that's for Tumbleweed, so you probably reboot after each update.

    I'm used to giving passphrase twice, and it doesn't bother me. But if you want to try putting it in a file and the "initrd", just ask for details.
    ok, gimme the details just in case but do not link me to that archlinux wiki. I didn't comprehend it- I am not even sure about the different scenarios listed there as to where opensuse implementation fits in. I just want a step by step solution that works for opensuse.

    TIA.
    Dell inspiron model I-7375 2 in 1.
    Ryzen 2500U, 8 GB RAM, SATA SSD, Full disk encryption
    Opensuse Tumbleweed (latest)

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,641
    Blog Entries
    3

    Default Re: Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

    Okay. I have booted up my virtual machine. I'll just describe how I have it setup.

    I should note that I use an encrypted LVM, but that should not make any difference.

    1: I have a file "/etc/cr_twleap_lvm" which contains a passphrase.

    I'll note that the name is not critical, as long as there is no conflict. In this case, "twleap" is just the name that I used for the LVM name. I do not use my normal passphrase there. I use a different one, and I then used
    Code:
    cryptsetup luksAddKey device file-path
    to make that an additional key. You can use a random number generator for this key if you want.

    That file is readable only by root (important).

    2: I added that to "/etc/crypttab". My "crypttab" looks like this:
    Code:
    cr_twleap       UUID=e80a722f-877d-4572-a689-03e088c26c7c       /etc/cr_twleap_lvm      none
    3: Force dracut to include that file.

    In the directory "/etc/dracut.conf.d", I created a file "98-crypt.conf". And note that this file is also set to be readable only by root, though that's probably not critical.

    The file contains the one line:
    Code:
    install_items+=" /etc/cr_twleap_lvm "
    The spaces around that path are important.

    4: Run "mkinitrd" to rebuild the "initrd".

    And that's about it. I still have to enter the encryption key before I get the grub boot menu. But, after that, it boots without further prompt for passphrase.

    If something goes wrong, then it just prompts for the key anyway.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •