Asked for Encryption Password Twice on Boot (Full Disk Encryption)

I’m testing out Leap 42.1 RC1 and I’ve setup an encrypted partition containing LVM, which contains my regular partitions, including /boot. On boot, Grub2 asks me for my encryption password, then I get the boot menu, and then during boot I get asked for the password again.

I’ve done some searching and it looks like the trick is to use a keyfile to unlock the partition. But all of the instructions I’ve seen require mkinitcpio (http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/), but this tool isn’t part of the distribution.

How can I get it so that only Grub2 is asking for the password?

That’s why you have to enter the password twice. The first is so that grub2 can see “/boot”, while the second is so the kernel can read the LVM.

I don’t know of a way to avoid this, other than having a separate unencrypted “/boot”

Actually, if you take a look at the link I provided, you’ll see that he managed to get it working (on ArchLinux and Linux Mint) by including the key in the initramfs. But he uses mkinitcpio (and on another page he links to, he uses mkinitramfs). Neither of these tools are available in Leap, so I’m trying to figure out the Suse way of doing this.

I think all I really need is the ability to add a file to the initramfs/initrd, but I haven’t been able to find any documentation on how to do that.

The “initrd” on opensuse is publically readable. So anyone with access to the system could extract that file.

The “initrd” itself is a compressed CPIO archive. I suppose you could unpack it to a directory, add the file, pack it up and compress it, and make sure that you set it to be readable only by root. If that works when done manually, you could probably come up with a script to automate it.

I have one installation of Tumbleweed done with “/boot” in the encrypted LVM. But I think I prefer to enter the encryption key twice.

1 Like

There is no interface between bootloader and linux kernel to pass password (it is supported by e.g. FreeBSD kernel); you can of course stuff it into kernel command line but you probably do not want to do it.

Bingo!

Okay, so you can’t directly add files to the initrd using cpio because of the 10MB file, cpio will only extract a few KB worth of files. There’s other stuff in there that cpio can’t see. And since you can’t extract it, you can’t pack it back into a new initrd.

I did some digging on mkinitrd and discovered that it’s nothing more than a script that calls Dracut. And Dracut allows you to install arbitrary files into the initrd. The solution I came up with is to modify the mkinitrd script so that it tells Dracut to include the keyfile. Of course, if mkinitrd ever gets updated, then my changes will be overwritten and I’ll start getting the dual password prompt again.

So what I did is in mkinitrd, I replaced the dracut_cmd line with:

dracut_cmd="dracut --install /path/to/my/keyfile
/usr/lib/dracut/skipcpio /boot/initrd | xzcat | cpio -itv

Of course, if mkinitrd ever gets updated, then my changes will be overwritten

echo 'install_items+=" /path/to/my/keyfile "' > /etc/dracut.conf.d/99-my-keyfile.conf

I’m not sure how having your keyfile in initrd helps without also having code to use this keyfile, but if it works for you - great.

/etc/crypttab points to the keyfile. If you’re interested, take a look at the link I included in my original post. The instructions are the same, except for the initrd/initramfs stuff.

Ah, OK, that makes sense.