I think I add root key to wrong partition when trying to avoid typing password twice.

So I tried reboot while following this guide, I still have been ask password 3 times lol, even more than 2 before.

Somehow I still have to type password one immediately after pressing power button and another 2 for the one just before system boot for part2 and part4 (what are these parts??).

https://en.opensuse.org/SDB:Encrypted_root_file_system

This is what my partition look like.

/dev/sda1 BIOS Boot

/dev/sda2 enc Linux Native Btrfs /

/dev/sda3 enc Linux Native Btrfs /home

/dev/sda4 enc Linux Swap Swap swap

I followed the guide basically exactly.

Create a key file.

dd if=/dev/urandom of=/.root.key bs=1024 count=1

  1. Make sure the key file can only be read by root.

chmod 600 /.root.key

  1. Add the key file as a valid way to decrypt your root partition. I have separate /home so I add sda3 in as well, not sure if I understand this right.

cryptsetup luksAddKey /dev/sda2 /.root.key
cryptsetup luksAddKey /dev/sda3 /.root.key

  1. Edit /etc/crypttab and add the key file in the third column.

cr_sda1 UUID=… /.root.key

So this is what I am not sure, my /etc/crypttab look like this

(not sure if UUID is sensitive im just gonna delete some of it)

cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 UUID=fbXXXXXXX /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3 UUID=09XXXXXXX /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4 UUID=06XXXXXXX /.root.key

And then follow the rest as normal

  1. Configure dracut to add the key file to the initrd. To do this, create a file /etc/dracut.conf.d/99-root-key.conf with the following content:

install_items+=" /.root.key "

  1. Make /boot accessible for root only.

chmod -R g-rwx,o-rwx /boot

  1. Rebuild the initrd.

mkinitrd

Thanks.

What you are describing looks okay. I am not seeing any obvious problem. And I do have that working, except with “ext4” rather than “btrfs”.

Make sure that the UUIDs that you use in “/etc//cryptab” are the correct ones.

To take one example, let’s look at your partition 2. There are actually 2 UUIDs associated with that. There is the UUID that you should get as output from:

blkid /dev/sda2

and there is also the UUID that you should get from:

blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2

It is the first of those that you will need in “/etc/crypttab”. And it is the second of those that you will need in “/etc/fstab” (assuming that you are using UUID for mounting).

Also, make sure that you are using UUID rather than PARTUUID, since the “blkid” command will give both.

Thanks for reply.

My crypttab currently look like this:


cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2  UUID=fbd989a4-de4c-48d6-9d08-52dd1d3fedce /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3  UUID=09948f4d-6b35-4467-933d-48bdf399c5f8 /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4  UUID=062c3387-1d82-4570-a738-1f8f84786bee /.root.key

The output of blkid /dev/sdaX is


blkid /dev/sda2
/dev/sda2: UUID="fbd989a4-de4c-48d6-9d08-52dd1d3fedce" TYPE="crypto_LUKS" PARTUUID="676083de-5378-4883-b15e-e8e59f7679d5" 
blkid /dev/sda3
/dev/sda3: UUID="09948f4d-6b35-4467-933d-48bdf399c5f8" TYPE="crypto_LUKS" PARTUUID="13f8cb3b-737c-470b-ac1e-13ff0974a66a"
blkid /dev/sda4
/dev/sda4: UUID="062c3387-1d82-4570-a738-1f8f84786bee" TYPE="crypto_LUKS" PARTUUID="4c07c00a-b3ea-463c-8acc-7e682ee4660c"

Which looks like crypttab UUIDs are correct.

My fstab currently look like this.

UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /                       btrfs  defaults                      0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /boot/grub2/x86_64-efi  btrfs  subvol=/@/boot/grub2/x86_64-efi  0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /boot/grub2/i386-pc     btrfs  subvol=/@/boot/grub2/i386-pc  0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /.snapshots             btrfs  subvol=/@/.snapshots          0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /var                    btrfs  subvol=/@/var                 0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /usr/local              btrfs  subvol=/@/usr/local           0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /tmp                    btrfs  subvol=/@/tmp                 0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /srv                    btrfs  subvol=/@/srv                 0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /root                   btrfs  subvol=/@/root                0  0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973  /opt                    btrfs  subvol=/@/opt                 0  0
UUID=05b48cc5-8605-4316-9377-cbb1eff67d79  /home                   btrfs  compress=zstd                 0  0
UUID=b8d42f75-8281-48d9-885f-75c0c7370246  swap                    swap   defaults                      0  0

Output of blkid /dev/mapper/

blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2: UUID="aeacda3b-99fd-4ba6-aa4d-22ecfb807973" UUID_SUB="1e13770a-0beb-49ab-9509-473a1b0f20e3" TYPE="btrfs"

blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3: UUID="05b48cc5-8605-4316-9377-cbb1eff67d79" UUID_SUB="da848647-0b2d-4d25-a5b3-525da108d175" TYPE="btrfs"

blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4: UUID="b8d42f75-8281-48d9-885f-75c0c7370246" TYPE="swap"

From what you describe, crypttab and fstab looks to be ok. So maybe crypttab and fstab is not at fault here?

Output of mkinitrd if interest

mkinitrd
Creating initrd: /boot/initrd-4.20.4-1-default
dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-4.20.4-1-default 4.20.4-1-default
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: warpclock ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: btrfs ***
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 60-persistent-storage-dm.rules
dracut: Skipping udev rule: 55-dm.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: ostree ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut:  rd.luks.uuid=luks-fbd989a4-de4c-48d6-9d08-52dd1d3fedce
dracut:  root=/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 rootfstype=btrfs rootflags=rw,relatime,space_cache,subvolid=939,subvol=/@/.snapshots/601/snapshot,subvol=@/.snapshots/601/snapshot
dracut: *** Creating image file '/boot/initrd-4.20.4-1-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-4.20.4-1-default' done ***
Creating initrd: /boot/initrd-4.20.6-1-default
dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-4.20.6-1-default 4.20.6-1-default
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: warpclock ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: btrfs ***
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 60-persistent-storage-dm.rules
dracut: Skipping udev rule: 55-dm.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: ostree ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut:  rd.luks.uuid=luks-fbd989a4-de4c-48d6-9d08-52dd1d3fedce
dracut:  root=/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 rootfstype=btrfs rootflags=rw,relatime,space_cache,subvolid=939,subvol=/@/.snapshots/601/snapshot,subvol=@/.snapshots/601/snapshot
dracut: *** Creating image file '/boot/initrd-4.20.6-1-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-4.20.6-1-default' done ***


That all looks right, unless I am missing something.

When I last set this up (in a KVM virtual machine), it didn’t work. I went back and checked everything.

I don’t remember whether I found a small typo somewhere, or whether it just started working a day or two later. It was probably a small typo. It has been working fine since then.

You can use “lsinitrd” to check whether the needed files are in the “initrd”. In particular, you need that file “/.root.key” to be there.

Since lsinitrd is long, I output to text with
lsinitrd > lsinitrd.txt
and copy that to paste bin.
https://pastebin.com/5aEtbtQU

I try search for /.root.key , no result.
But I do found .root.key without the /
Thanks.

Then that’s fine. “lsinitrd” lists without the leading “/”.

Hmm, I suggest that you add “none” as a 4th column entry for those “crypttab” entries, just in case that is needed. It depends on how fussy is the software that looks.

And then you have to rerun “mkinitrd”.

My edit my crypttab to look like this,
run mkinitrd and reboot still ask for password twice.
Not sure if this is relevant, but it ask for password for grub and another for part4 which is /dev/sda4 which is swap partition.

cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2  UUID=fbd989a4-de4c-48d6-9d08-52dd1d3fedce /.root.key none
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3  UUID=09948f4d-6b35-4467-933d-48bdf399c5f8 /.root.key none
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4  UUID=062c3387-1d82-4570-a738-1f8f84786bee /.root.key none

[HR][/HR]BROOOOOOOOO IM MA GENIUS IQ250

I have to do this for swap too

cryptsetup luksAddKey /dev/sda4 /.root.key
and
mkinitrd

and boooooommmmmm

ITS SOLVED !!! THANKS FOR THE HELP

I’m glad it is now working. And thanks for reporting back.