Cryptsetup - entering a one-time password at boot

Hello,
Is it possible, having different encrypted partitions with the same password, enter them only once during the system boot? Currently, I need to enter the password separately to unlock each partition. I know I can create a LVM, but I do not need it. I would like to encrypt the whole system.
/ with sub-volumes - BTRFS
swap
/ home - xfs / ext4
This is available in Fedora or can I do that in openSUSE?
Regards :slight_smile:

That is working for me.

I have an encrypted LVM with root, home, swap.

Separately, I have an encrypted “ext4” partition, which I mount at “/shared”

Both use the same encryption key. I am only prompted once for the key.

Okay, let me modify that. What I just described is correct for one Tumbleweed system.

On a second Tumbleweed system, I am prompted twice – the first prompt is by grub (really grub2-efi) so that it can read its boot menu. The second prompt is to provide the key to the kernel. And this second prompt includes both the encrypted LVM and “/shared”.

I do have plymouth installed, but I am using “plymouth.enable=0”. I’m not sure whether the encryption key is handled by “plymouth” or by “dracut”. My understanding is that either “plymouth” or “dracut” traps the kernel prompt, and in turn asks me for the key. And that software (“dracut” or “plymouth”) remembers what key I provided and tries that first for any future encryption attempt. Apparently the encryption for “/shared” is handled before “plymouth” and “dracut” both go away.

Passphrase is cached by either plymouth or systemd-cryptsetup.

My understanding is that either “plymouth” or “dracut” traps the kernel prompt

There is no kernel prompt. Everything happens completely in user space. systemd-cryptsetup caches passphrase in kernel keyring; in non-systemd mode dracut tries to call plymouth if available and passphrase is cached by plymouth (daemon). If plymouth is active, it is also used to query for passphrase in systemd mode, so passphrase is cached twice.