Decryption and mounting of encrypted filesystems

English Install/Boot/Login
#1

Hello,

I just installed OpenSUSE Tumbleweed on my laptop using encrypted rootfs, bootfs and swap. The system boots and seems to work fine, however I am experiencing some problems:

  1. Grub asks for the passphrase to decrypt root and linux asks for the passphrase to decrypt swap. I am never asked to decrypt the home partition.
  2. I am asked to decrypt swap, but swap is not mounted.

In order to be able to decrypt rootfs, swapfs and /home by entering a passphrase only once, I used the following partition scheme:

/dev/sda1: SEC_TYPE="msdos" UUID="0E57-2A49" TYPE="vfat" PARTUUID="6842e7ea-baf9-4ac4-9f61-9c461d017445"
/dev/sda2: UUID="595f3b34-a518-452d-b481-8f3043add7c9" TYPE="crypto_LUKS" PARTUUID="3a82a79e-486b-4cfd-9372-95264cfdd160"
/dev/sda3: UUID="6ad5f082-0d18-4e75-bd81-4b0a89fc9b52" TYPE="crypto_LUKS" PARTUUID="3d87b04f-1cb1-4166-a9af-320b48d5aecb"
/dev/sda4: UUID="1cf7b3d3-d87e-483d-af9d-97e083cb2a55" TYPE="crypto_LUKS" PARTUUID="ed3aa191-468f-491b-ae3c-9ef8f930185c"
/dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part3: UUID="40c7e221-c24e-4a50-831a-8e83b679a521" TYPE="ext4"
/dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part2: UUID="049b7e1a-5bcd-4aee-8086-0b8836411f00" TYPE="swap"
/dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part4: UUID="99103a7b-85b9-47e4-b82a-2d03d3a484a3" TYPE="ext4"

The first partition is the EFI system partition, which is automatically mounted to /boot/efi. If I understood correctly, /boot is then part of the rootfs, so that I can follow the instructions of the OpenSUSE Manual to place a key within the rootfs, which prevents the linux from asking for the passphrase a second time. Following these guide, I modified /etc/crypttab as follows:

cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part2  UUID=595f3b34-a518-452d-b481-8f3043add7c9
cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part3  UUID=6ad5f082-0d18-4e75-bd81-4b0a89fc9b52 /.root.key
cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part4  UUID=1cf7b3d3-d87e-483d-af9d-97e083cb2a55

Is this setup correct and why do I have to enter the passphrase for swap and not for /home? And is there a way to rename the name of the mapped devices?

Thanks in advance.
Phidelux

#2

Hi again,

I added the generated key to all three partitions and regenerated the initrd. Now I just have to enter the passphrase only once. However, I am left with two problems:

  1. The swap partition does not get mounted.
  2. The keyboard layout in Grub2 is set to an US layout, so I have to enter the passphrase with a wrong keyboard layout.
  3. How do I change mapped device names?
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=6083192k,nr_inodes=1520798,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
/dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part3 on / type ext4 (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14817)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part4 on /home type ext4 (rw,relatime,data=ordered)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1218324k,mode=700,uid=1000,gid=100)

Any Ideas on how to fix these issues?

Thanks
Phidelux

#3

For me it is a bit confusing.

You start to talk about “encrypted rootfs, bootfs and swap” (where I think you mean the file systems for /, /boot and also swap space), but later you talk about /home.

Is /home a separate file system? And when yes, is it (or should it be) also encrypted.

Also you say somewhere “but swap is not mounted”. I do not know why you think so, but it is true. Swap space is not mounted. It is just used (or not). Not mounted in the meaning of adding a file system’s directory tree to the main directory tree at a directory (the so called called mount point).

#4

You now start one or more new questions/problems. Please start a new thread for each question/problem. They may need to go to a different sub-forum, but in any case, each of them deserves it’s own title to draw the attention to the problem.

People that see the present title about file system encryption and that, because they do not know much about that subject it, will skip this thread, may nevertheless know a lot about your other problem. But they will not see it.

#5

Regarding your swap file mounting,
You need to inspect the bootlog for one of these problematic boots.
Although you can read the jouralctl MAN pages for how to filter your queries, I find the following article much easier reading. You can search for such things as current or previous boot, errors, errors related to mounting, etc

https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs

I’m pretty sure that your keyboard layout problem is because typically the layout is set in your Desktop which loads much later in your boot process. To resolve your problem, you should probably look for ways your system sets up its default keyboard layout… in your BIOS? Else, it should be set as a boot parameter. If you do some investigation and can’t come up with a solution, post again (but start a new Forum thread as others have suggested)

As for your posting your device layout, am not sure of the purpose and don’t understand why you are asking to change device names… Recommend a clear question and perhaps an example of a specific device name you feel should be different(Again, recommend starting a new Forum thread).

HTH,
TSU

#6

Firstly, on swap:

Technically speaking, swap is not mounted. It is added with the “swapon” command, and that should be automatic.

Simplest check is to use the “free” command. Does that show that you have swap configured?

If you do not have swap configured, then there might be a problem with “/etc/fstab”. What’s the output from:

grep swap /etc/fstab

Second: on renaming the encrypted devices. I assume that you are talking of names such as
“cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part4” which I got from your post earlier in this thread.

Best is to make sure that your encrypted devices are mounted by UUID.

Take the one that I just mentioned. Check the output of:

blkid /dev/mapper/cr_ata-SanDisk_SD6SB1M256G1002_142624402217-part4

and look for the UUID from that output. If you are not sure, then show us the output and we can tell you the UUID to use.

Then check “/etc/fstab”. You want the entry for that device to show up as:

UUID=1234-5678-whatever  ... and the rest of the line

If the entry already uses UUID, you are set for that device. If not, then change the device column to the UUID form, but use the actual UUID rather that what I showed. You should not need to change anything else on that “fstab” line.

Make any such changes for all of your encrypted devices.

Also check your grub2 booting setup. Look for the “resume=” parameter on the kernel command line. You can do that with Yast. You should also use the UUID form for the resume line, as in “resume=UUID=some-funky-string” (but don’t use that literally).

When you have everything setup to use only UUID, then reboot to make sure that everthing still boots. Unless you made a typo, there should not be a problem.

Once you are doing everything via UUID, you can just edit “/etc/crypttab” and change the encrypted device names to whatever you want. As long as they do not cause a name conflict, you should be fine. Names such as “cr_root”, “cr_home”, “cr_swap” might be good choices.

After editing “/etc/crypttab”, run “mkinitrd”. And then reboot.