crypttab and multiple luks volumes handling

Hi folks. Stumbled on something really strange to me, after more than a decade of working with SuSE Linux and OpenSUSE.

In the cryptography sector, encrypted filesystems booth.
Things go like this:

  • I created two luks encrypted filesystems that are to be mounted at boot. It doesn’t matter if I made it manually or in YaST2.
  • The two have different passwords.
  • The system boots, I get prompted to input the password for the first (1) filesystem and I mistakenly type the correct password for the other, the second encrypted (2) filesystem. (BTW, with plymouth there is no hinting about the volume to be opened but that it’s not the issue)
  • The decryption obviously fails and I’m prompted again to input the password for the first (1) filesystem.
  • I input the correct password for the first (1) filesystem and the system continues booting!
  • I found both filesystems decrypted and mounted!

Therefore the first (invalid) password remains stored and it is automatically used/attempted on the next prompt?
What’s going on?
Goes the same on 13.1/13.2/Leap (42.1&2)

What you describe is being handled by plymouth (the boot spash application).

Plymouth remembers the key that you give, and tries it for other encryption.

Once boot has completed, plymouth goes away and anything that it remembered is forgotten.

If you uninstall plymouth, then you will get multiple crypto prompts during boot, and a noisier boot screen. But perhaps that’s what you want.

At present, I am seeing identification information on the encrypted file system that I am unlocking. I think I am only seeing that in Tumbleweed. So it probably won’t happen for opensuse 13.2, but might happen for Leap 42.2 when that is released (I’m just guessing there).

Personally, my suggestion would be to encrypt both file systems with the same key. And then you are only prompted once. You can add an additional key, as a way of doing that.