I have succesfully installed openSUSE Tumbleweed with Full Disk Encryption but every boot i have to enter my password twice.
Then i have searched the forum here and found this thread.
But unfortunately the Link in the first Post is down/ not reachable.
There are some instruction but i don’t know what i have to to exactly.
On Fri, 20 Apr 2018 19:46:01 +0000, in famous wrote:
> Hello Community,
>
> I have succesfully installed openSUSE Tumbleweed with Full Disk
> Encryption but every boot i have to enter my password twice.
> Then i have searched the forum here and found this ‘thread’
> (http://tinyurl.com/y7qzspde).
>
> But unfortunately the Link in the first Post is down/ not reachable.
> There are some instruction but i don’t know what i have to to exactly.
>
> Can someone help me or provide me link?
>
> Thank you
I’m going to add a few links (sorry only one is SuSE oriented) that talk about Yubikey so I can bookmark this thread and possibly incorporate your steps in when I ever have time:
You mean it works with only these steps? I miss step that actually tells dracut to use this keyfile. Adding file to initrd does not mean it is going to be used to decrypt anything.
P.S. sorry, is it supposed to be “insert at the end of /etc/crypttab”? At the end of what? At the end of /etc/crypttab file? This cannot work. At the end of line - can’t be because line in crypttab has 4 fields and keyfile goes into the third field (not to mention that there could be multiple lines in /etc/crypttab).
If there is only a single encrypted partition, and if it is setup by the current Tumbleweed installer, then it probably works. The installer is generating a “crypttab” with only two fields. So adding to the end (on the same line) would put it in the third field.
I don’t think one should depend on this current behavior of the installer. It would have been better to specify that this information goes in the third field. But it may have actually worked as described.
Yes it worked for me, so i thought this would work for everyone.
But thanks for the information and here is the better solution…at least i hope so
#Edit Grub File and change GRUB_ENABLE_CRYPTODISK=n TO GRUB_ENABLE_CRYPTODISK=y
sudo nano /etc/default/grub
#Create Keyfile
sudo dd bs=512 count=4 if=/dev/urandom of=/.crypto_keyfile.bin
#Show Disks to find your LUKS device
lsblk
#Add Key (Replace /dev/sdaX with your LUKS Device)
sudo cryptsetup luksAddKey /dev/sdaX /.crypto_keyfile.bin
#"Enter any existing passphrase:" means your LUKS Password
#Change Permission
sudo chmod 000 /.crypto_keyfile.bin && sudo chmod -R g-rwx,o-rwx /boot
#Edit Crypttab and insert the following at the thrird Position of your LUKS Device: /.crypto_keyfile.bin
sudo nano /etc/crypttab
#example:
cr_sdaX UUID=000000000000000000000 /.crypto_keyfile.bin
#when there is "none" at the third position, replace "none" with /.crypto_keyfile.bin
#Add Keyfile to initrd
echo 'install_items+=" /.crypto_keyfile.bin "' | sudo tee /etc/dracut.conf.d/99-initcrypt.conf
#Rebuild initrd
sudo dracut --force