Encrypted LVM and LUKS issue

wellywu · October 15, 2012, 8:12am

I have a System76 Lemur Ultra Thin (lemu4) notebook PC and I installed OpenSUSE 12.2 64 bit yesterday. I used YaST to create LVM partitions and I specified to encrypt them using LUKS. I created a separate /home partition.

When I boot or reboot my PC, I have to enter my LUKS password three separate times to unlock each LVM. Why is this happening? How do I set it up so that I only have to enter my LUKS boot password once to unlock everything?

My other question is regarding the encryption. I assume that it is using AES CBC ESSIV:SHA-256 and SHA-512 hash algorithm at 256 bits 14 rounds cipher strength. Is this correct?

Please help me if you can. Thank you.

wellywu · October 15, 2012, 8:28am

How can I check to see if my separate home, tmp, swap partitions are also encrypted?

Nikos78 · October 15, 2012, 11:34am

You probably created three different LVMs. I guess you wanted one encrypted LVM, with three different logical Volumes in this LVM. Setting up three different LVMs actually nullifies the whole point of having LVM. You can see a nice graph with what you have in the partition manager in yast.

wellywu · October 15, 2012, 11:47am

Is there any way to fix my problems?

Nikos78 · October 15, 2012, 1:53pm

I installed OpenSUSE 12.2 64 bit yesterday

The easiest way would probably be to reinstall, since it is a new installation and you would need quite some spare space otherwise. I would also suggest prior to doing that, verifying that my assumption as to what you did is correct.

Nikos78 · October 15, 2012, 2:07pm

I think you would use

vgdisplay

to check that. But I don’t have my LVM partitioned PC here. I could check this for you in the evening (my evening that is;))

nrickert · October 15, 2012, 3:27pm

In my setup, I have only one LVM, which is encrypted. Inside that LVM, I have logical volumes for “/”, for “/home” and for swap. The encryption applies to the LVM as a whole. A key is requested only once.

I think you made some unwise choices when setting up your system.

nrickert · October 15, 2012, 3:34pm

Here is how to check:


# cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 4096
.... (rest of output skipped)

robin_listas · October 15, 2012, 3:58pm

On 2012-10-15 15:36, nrickert wrote:
>
> wellywu;2496112 Wrote:
>> My other question is regarding the encryption. I assume that it is using
>> AES CBC ESSIV:SHA-256 and SHA-512 hash algorithm at 256 bits 14 rounds
>> cipher strength. Is this correct?
>
> Here is how to check:

“file -s /dev/sda2” will also tell you.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Yarny · October 15, 2012, 7:23pm

To my knowledge, the script which unlocks luks partitions during initrd stage contains code which tries to reuse a passphrase for multiple devices (see /lib/mkinitrd/scripts/boot-luks.sh). Wellywu, if you have to enter your passphrase /after/ initrd, while systemd is loading everything, you might want to add the “initrd” options to the devices in /etc/crypttab. Then run mkinitrd and, hopefully, the initrd unlocks everything for you with only one passphrase prompt.

Try to look into the files /lib/mkinitrd/scripts/luks and the crypttab manpage for hints. – Y

wellywu · October 16, 2012, 4:06am

I fixed the problem. I re-installed OpenSUSE 12.2 64 bit using the 64 bit DVD ISO on a DVD-R disc. I chose to install K Desktop Environment by default. Now, I only need to type in my LUKS password once to unlock and boot OpenSUSE 12.2 64 bit.

Solved.