I implemented the instructions from SDB:Encrypted root file system.
However, during boot I am requested to type in the password twice: initially for the “root” partition and one more time for “home”. After startup all partitions are properly decrypted and mounted.
What am I missing?
How can I only get a single password request for the root partition and have the others auto-decrypted via the keys?
Any advice is very much appreciated!
FYI
sudo fdisk -l
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 1050623 1048576 512M EFI System
/dev/nvme0n1p2 1050624 63965183 62914560 30G Linux swap
/dev/nvme0n1p3 63965184 420481023 356515840 170G Linux root (x86-64)
/dev/nvme0n1p4 420481024 1863372799 1442891776 688G Linux home
/dev/nvme0n1p5 1863372800 1961938943 98566144 47G Linux filesystem
/dev/nvme0n1p6 1961938944 2000408575 38469632 18.3G Linux filesystem
$ cat /etc/crypttab
Column 1
Column 2
Column 3
Column 4
cr_root
UUID=02ecf5b4-f8fc-4978-b16f-ce38f9594aa5
/etc/cryptsetup-keys.d/cr_root.key
x-initrd.attach
cr_swap
UUID=55852a36-7e2d-4900-b89e-711cbaa49a16
/etc/cryptsetup-keys.d/cr_swap.key
x-initrd.attach,force
cr_home
UUID=cd0fdc23-6e50-4cc5-b532-3bc3e86cd953
/etc/cryptsetup-keys.d/cr_home.key
x-initrd.attach
cr_timeshift
UUID=718da963-123e-4887-9012-798c79360045
/etc/cryptsetup-keys.d/cr_timeshift.key
x-initrd.attach
cr_incus
UUID=4e26b0f3-ab5e-4d16-b595-e1f533cc94cf
/etc/cryptsetup-keys.d/cr_incus.key
x-initrd.attach
$ sudo ls -la /etc/cryptsetup-keys.d
-rw------- 1 root root 1024 Jan 9 16:43 cr_home.key
-rw------- 1 root root 1024 Jan 9 16:43 cr_incus.key
-rw------- 1 root root 1024 Jan 9 16:43 cr_root.key
-rw------- 1 root root 1024 Jan 9 16:44 cr_swap.key
-rw------- 1 root root 1024 Jan 9 16:44 cr_timeshift.key
$ sudo ls -la /etc/dracut.conf.d
-rw-r–r-- 1 root root 894 Dec 11 16:49 10-persistent_policy.conf
-rw-r–r-- 1 root root 54 Jan 9 23:25 99-cr_home-key.conf
-rw-r–r-- 1 root root 55 Jan 9 23:26 99-cr_incus-key.conf
-rw-r–r-- 1 root root 54 Jan 9 23:14 99-cr_root-key.conf
-rw-r–r-- 1 root root 54 Jan 9 18:25 99-cr_swap-key.conf
-rw-r–r-- 1 root root 59 Jan 9 23:25 99-cr_timeshift-key.conf
-rw-r–r-- 1 root root 491 Dec 11 16:49 99-debug.conf
-rw-r–r-- 1 root root 30 Jan 9 17:19 99-resume.conf
-rw-r–r-- 1 root root 769 Dec 21 19:40 ostree.conf
Optional Kernel Command Line params
splash=silent resume=/dev/mapper/cr_swap quiet security=apparmor
If all other partitions are unlocked automatically, the obvious guess - incorrect key or key is missing in initrd. It is rather unclear why you need to unlock your home device (and most other devices) in initrd already, but if you want to do it - check the initrd content.
Please, to make the pieces of computer code in your posts better consumable by technical oriented people:
And post as complete as possible. That is starting with the line with the prompt and the command, then all output, and anding with the new prompt line.
When you really feel you need to change anything in such a copy, then add that in a comment, else we take all characters literally.
When the text is very long, then you can upload to https://paste.opensuse.org/ .
Or you can use the tool susepaste by piping the output to it ind posting the URL you get.
You are right, all I really need to unlock at start-up is root and swap (it is also encrypted and I use it for hibernation; for which I followed the additional steps here). The other partitions can be very well decrypted after logging in. I updated my crypttab, however I still get asked to type in the [home] password.
I do see that the “cryptography setup for home” fails at some point:
user:~$ sudo systemctl --all list-units | grep home
[sudo] password for root:
dev-disk-by\x2ddiskseq-1\x2dpart4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2did-dm\x2dname\x2dcr_home.device loaded active plugged /dev/disk/by-id/dm-name-cr_home
dev-disk-by\x2did-dm\x2duuid\x2dCRYPT\x2dLUKS2\x2dcd0fdc236e504cc5b5323bc3e86cd953\x2dcr_home.device loaded active plugged /dev/disk/by-id/dm-uuid-CRYPT-LUKS2-cd0fdc236e504cc5b5323bc3e86cd953-cr_home
dev-disk-by\x2did-nvme\x2deui.ace42e0025f275f72ee4ac0000000001\x2dpart4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2did-nvme\x2dSKHynix_HFS001TEJ9X115N_SDB6N75421070714C\x2dpart4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2did-nvme\x2dSKHynix_HFS001TEJ9X115N_SDB6N75421070714C_1\x2dpart4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dlabel-home.device loaded active plugged /dev/disk/by-label/home
dev-disk-by\x2dlabel-luks\x2dhome.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpartuuid-4d61d77b\x2da5d7\x2d4b47\x2d9f18\x2d372f548b403b.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dlabel-luks\x2dhome.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dpartnum-4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dpartuuid-4d61d77b\x2da5d7\x2d4b47\x2d9f18\x2d372f548b403b.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2duuid-cd0fdc23\x2d6e50\x2d4cc5\x2db532\x2d3bc3e86cd953.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-disk-by\x2duuid-cd0fdc23\x2d6e50\x2d4cc5\x2db532\x2d3bc3e86cd953.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
dev-mapper-cr_home.device loaded active plugged /dev/mapper/cr_home
dev-nvme0n1p4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
sys-devices-pci0000:00-0000:00:06.0-0000:01:00.0-nvme-nvme0-nvme0n1-nvme0n1p4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
home.mount loaded active mounted /home
run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount loaded active mounted run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount
run-credentials-systemd\x2dcryptsetup\x40home.service.mount loaded inactive dead run-credentials-systemd\x2dcryptsetup\x40home.service.mount
systemd-cryptsetup@cr_home.service loaded active exited Cryptography Setup for cr_home
● systemd-cryptsetup@home.service loaded failed failed Cryptography Setup for home
blockdev@dev-disk-by\x2dlabel-home.target loaded inactive dead Block Device Preparation for /dev/disk/by-label/home
blockdev@dev-mapper-cr_home.target loaded active active Block Device Preparation for /dev/mapper/cr_home
blockdev@dev-mapper-home.target loaded inactive dead Block Device Preparation for /dev/mapper/home
user:~$ sudo systemctl list-units | grep home
sys-devices-pci0000:00-0000:00:06.0-0000:01:00.0-nvme-nvme0-nvme0n1-nvme0n1p4.device loaded active plugged SKHynix_HFS001TEJ9X115N luks-home
home.mount loaded active mounted /home
run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount loaded active mounted run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount
systemd-cryptsetup@cr_home.service loaded active exited Cryptography Setup for cr_home
● systemd-cryptsetup@home.service loaded failed failed Cryptography Setup for home
blockdev@dev-mapper-cr_home.target loaded active active Block Device Preparation for /dev/mapper/cr_home
In the solution I posted I forgot to add that after making the changes, you need to enter “w” at the end to actually write and finalize the changes. Hope you did that too!
As the original topic is already closed, I follow up here.
I tested installation of Tumbleweed in guided setup mode with separate home. It created the home partition of type 8300 (0FC63DAF-8483-4772-8E79-3D69D8477DE4) - (generic) Linux Filesystem. Which means it is not a fault of the installer. It still would be interesting if someone could document the exact steps used to create such configuration.
When I installed TW, I chose the “expert partition mode”. I then manually selected and set another home partition type from the list, I didn’t use the default. If I remember correctly, it was the same as the one @barunespadhy used.