How to avoid typing the passphrase twice for encrypted file system

Hi All,

I implemented the instructions from SDB:Encrypted root file system.
However, during boot I am requested to type in the password twice: initially for the “root” partition and one more time for “home”. After startup all partitions are properly decrypted and mounted.

What am I missing?
How can I only get a single password request for the root partition and have the others auto-decrypted via the keys?

Any advice is very much appreciated!

FYI

sudo fdisk -l
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 1050623 1048576 512M EFI System
/dev/nvme0n1p2 1050624 63965183 62914560 30G Linux swap
/dev/nvme0n1p3 63965184 420481023 356515840 170G Linux root (x86-64)
/dev/nvme0n1p4 420481024 1863372799 1442891776 688G Linux home
/dev/nvme0n1p5 1863372800 1961938943 98566144 47G Linux filesystem
/dev/nvme0n1p6 1961938944 2000408575 38469632 18.3G Linux filesystem

$ cat /etc/crypttab

Column 1 Column 2 Column 3 Column 4
cr_root UUID=02ecf5b4-f8fc-4978-b16f-ce38f9594aa5 /etc/cryptsetup-keys.d/cr_root.key x-initrd.attach
cr_swap UUID=55852a36-7e2d-4900-b89e-711cbaa49a16 /etc/cryptsetup-keys.d/cr_swap.key x-initrd.attach,force
cr_home UUID=cd0fdc23-6e50-4cc5-b532-3bc3e86cd953 /etc/cryptsetup-keys.d/cr_home.key x-initrd.attach
cr_timeshift UUID=718da963-123e-4887-9012-798c79360045 /etc/cryptsetup-keys.d/cr_timeshift.key x-initrd.attach
cr_incus UUID=4e26b0f3-ab5e-4d16-b595-e1f533cc94cf /etc/cryptsetup-keys.d/cr_incus.key x-initrd.attach

$ sudo ls -la /etc/cryptsetup-keys.d
-rw------- 1 root root 1024 Jan 9 16:43 cr_home.key
-rw------- 1 root root 1024 Jan 9 16:43 cr_incus.key
-rw------- 1 root root 1024 Jan 9 16:43 cr_root.key
-rw------- 1 root root 1024 Jan 9 16:44 cr_swap.key
-rw------- 1 root root 1024 Jan 9 16:44 cr_timeshift.key

$ sudo ls -la /etc/dracut.conf.d
-rw-r–r-- 1 root root 894 Dec 11 16:49 10-persistent_policy.conf
-rw-r–r-- 1 root root 54 Jan 9 23:25 99-cr_home-key.conf
-rw-r–r-- 1 root root 55 Jan 9 23:26 99-cr_incus-key.conf
-rw-r–r-- 1 root root 54 Jan 9 23:14 99-cr_root-key.conf
-rw-r–r-- 1 root root 54 Jan 9 18:25 99-cr_swap-key.conf
-rw-r–r-- 1 root root 59 Jan 9 23:25 99-cr_timeshift-key.conf
-rw-r–r-- 1 root root 491 Dec 11 16:49 99-debug.conf
-rw-r–r-- 1 root root 30 Jan 9 17:19 99-resume.conf
-rw-r–r-- 1 root root 769 Dec 21 19:40 ostree.conf

Optional Kernel Command Line params
splash=silent resume=/dev/mapper/cr_swap quiet security=apparmor

If all other partitions are unlocked automatically, the obvious guess - incorrect key or key is missing in initrd. It is rather unclear why you need to unlock your home device (and most other devices) in initrd already, but if you want to do it - check the initrd content.

You may also see a variant of Cryptsetup on a separate /home partition goes into emergency mode - English / Install/Boot/Login - openSUSE Forums

And please, post computer text as preformatted, not as quotation, to preserve formatting.

Hello and welcome to the openSUSE forums.

To add some detail to @arvidjaar 's request:

Please, to make the pieces of computer code in your posts better consumable by technical oriented people:

And post as complete as possible. That is starting with the line with the prompt and the command, then all output, and anding with the new prompt line.
When you really feel you need to change anything in such a copy, then add that in a comment, else we take all characters literally.

When the text is very long, then you can upload to https://paste.opensuse.org/ .
Or you can use the tool susepaste by piping the output to it ind posting the URL you get.

1 Like

Thanks and I definitely will post according to the spec from now on!

I checked the home keyfile and it works. Also it seems to be accessible and included in initrd… This is (part of) what lsinitrd gives me:

user:~$ sudo lsinitrd --kver 6.12.8-2-default | grep key
drwxr-xr-x   2 root     root            0 Dec 11 16:49 etc/cryptsetup-keys.d
-rw-------   1 root     root         1024 Dec 11 16:49 etc/cryptsetup-keys.d/cr_root.key
-rw-------   1 root     root         1024 Dec 11 16:49 etc/cryptsetup-keys.d/cr_swap.key

You are right, all I really need to unlock at start-up is root and swap (it is also encrypted and I use it for hibernation; for which I followed the additional steps here). The other partitions can be very well decrypted after logging in. I updated my crypttab, however I still get asked to type in the [home] password.

user:~$ sudo cat /etc/crypttab 
cr_root       UUID=02ecf5b4-f8fc-4978-b16f-ce38f9594aa5  /etc/cryptsetup-keys.d/cr_root.key       x-initrd.attach
cr_swap       UUID=55852a36-7e2d-4900-b89e-711cbaa49a16  /etc/cryptsetup-keys.d/cr_swap.key       x-initrd.attach,force
cr_home       UUID=cd0fdc23-6e50-4cc5-b532-3bc3e86cd953  /etc/cryptsetup-keys.d/cr_home.key       none
cr_timeshift  UUID=718da963-123e-4887-9012-798c79360045  /etc/cryptsetup-keys.d/cr_timeshift.key  none
cr_incus      UUID=4e26b0f3-ab5e-4d16-b595-e1f533cc94cf  /etc/cryptsetup-keys.d/cr_incus.key      none

I do see that the “cryptography setup for home” fails at some point:

user:~$ sudo systemctl --all list-units | grep home
[sudo] password for root: 
  dev-disk-by\x2ddiskseq-1\x2dpart4.device                                                                                                                                 loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2did-dm\x2dname\x2dcr_home.device                                                                                                                           loaded    active   plugged   /dev/disk/by-id/dm-name-cr_home
  dev-disk-by\x2did-dm\x2duuid\x2dCRYPT\x2dLUKS2\x2dcd0fdc236e504cc5b5323bc3e86cd953\x2dcr_home.device                                                                     loaded    active   plugged   /dev/disk/by-id/dm-uuid-CRYPT-LUKS2-cd0fdc236e504cc5b5323bc3e86cd953-cr_home
  dev-disk-by\x2did-nvme\x2deui.ace42e0025f275f72ee4ac0000000001\x2dpart4.device                                                                                           loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2did-nvme\x2dSKHynix_HFS001TEJ9X115N_SDB6N75421070714C\x2dpart4.device                                                                                      loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2did-nvme\x2dSKHynix_HFS001TEJ9X115N_SDB6N75421070714C_1\x2dpart4.device                                                                                    loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dlabel-home.device                                                                                                                                         loaded    active   plugged   /dev/disk/by-label/home
  dev-disk-by\x2dlabel-luks\x2dhome.device                                                                                                                                 loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpartuuid-4d61d77b\x2da5d7\x2d4b47\x2d9f18\x2d372f548b403b.device                                                                                          loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dlabel-luks\x2dhome.device                                                                             loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dpartnum-4.device                                                                                      loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2dpartuuid-4d61d77b\x2da5d7\x2d4b47\x2d9f18\x2d372f548b403b.device                                      loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart-by\x2duuid-cd0fdc23\x2d6e50\x2d4cc5\x2db532\x2d3bc3e86cd953.device                                          loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2dpath-pci\x2d0000:01:00.0\x2dnvme\x2d1\x2dpart4.device                                                                                                     loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-disk-by\x2duuid-cd0fdc23\x2d6e50\x2d4cc5\x2db532\x2d3bc3e86cd953.device                                                                                              loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  dev-mapper-cr_home.device                                                                                                                                                loaded    active   plugged   /dev/mapper/cr_home
  dev-nvme0n1p4.device                                                                                                                                                     loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  sys-devices-pci0000:00-0000:00:06.0-0000:01:00.0-nvme-nvme0-nvme0n1-nvme0n1p4.device                                                                                     loaded    active   plugged   SKHynix_HFS001TEJ9X115N luks-home
  home.mount                                                                                                                                                               loaded    active   mounted   /home
  run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount                                                                                                           loaded    active   mounted   run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount
  run-credentials-systemd\x2dcryptsetup\x40home.service.mount                                                                                                              loaded    inactive dead      run-credentials-systemd\x2dcryptsetup\x40home.service.mount
  systemd-cryptsetup@cr_home.service                                                                                                                                       loaded    active   exited    Cryptography Setup for cr_home
● systemd-cryptsetup@home.service                                                                                                                                          loaded    failed   failed    Cryptography Setup for home
  blockdev@dev-disk-by\x2dlabel-home.target                                                                                                                                loaded    inactive dead      Block Device Preparation for /dev/disk/by-label/home
  blockdev@dev-mapper-cr_home.target                                                                                                                                       loaded    active   active    Block Device Preparation for /dev/mapper/cr_home
  blockdev@dev-mapper-home.target                                                                                                                                          loaded    inactive dead      Block Device Preparation for /dev/mapper/home
user:~$ sudo systemctl list-units | grep home
  sys-devices-pci0000:00-0000:00:06.0-0000:01:00.0-nvme-nvme0-nvme0n1-nvme0n1p4.device                                                                                     loaded active plugged   SKHynix_HFS001TEJ9X115N luks-home
  home.mount                                                                                                                                                               loaded active mounted   /home
  run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount                                                                                                           loaded active mounted   run-credentials-systemd\x2dcryptsetup\x40cr_home.service.mount
  systemd-cryptsetup@cr_home.service                                                                                                                                       loaded active exited    Cryptography Setup for cr_home
● systemd-cryptsetup@home.service                                                                                                                                          loaded failed failed    Cryptography Setup for home
  blockdev@dev-mapper-cr_home.target                                                                                                                                       loaded active active    Block Device Preparation for /dev/mapper/cr_home

Read How to avoid typing the passphrase twice for encrypted file system - #3 by arvidjaar again and read the topic I mentioned there. You have the same problem.

I re-read with a fresher-pair of eyes, and yes, it was the same underlying systemd problem/bug mentioned there. I solved it in the same way as here.

Thanks a ton!! :metal: :100:

Hey!

In the solution I posted I forgot to add that after making the changes, you need to enter “w” at the end to actually write and finalize the changes. Hope you did that too!

Cheers!

1 Like

As the original topic is already closed, I follow up here.

I tested installation of Tumbleweed in guided setup mode with separate home. It created the home partition of type 8300 (0FC63DAF-8483-4772-8E79-3D69D8477DE4) - (generic) Linux Filesystem. Which means it is not a fault of the installer. It still would be interesting if someone could document the exact steps used to create such configuration.

I actully used yast partitioner to update the label, but thanks a lot!

When I installed TW, I chose the “expert partition mode”. I then manually selected and set another home partition type from the list, I didn’t use the default. If I remember correctly, it was the same as the one @barunespadhy used.

yea pretty much, the only small difference in my case was that I specifically chose to encrypt only the home partition using LUKS2.