So I tried reboot while following this guide, I still have been ask password 3 times lol, even more than 2 before.
Somehow I still have to type password one immediately after pressing power button and another 2 for the one just before system boot for part2 and part4 (what are these parts??).
https://en.opensuse.org/SDB:Encrypted_root_file_system
This is what my partition look like.
/dev/sda1 BIOS Boot
/dev/sda2 enc Linux Native Btrfs /
/dev/sda3 enc Linux Native Btrfs /home
/dev/sda4 enc Linux Swap Swap swap
I followed the guide basically exactly.
Create a key file.
dd if=/dev/urandom of=/.root.key bs=1024 count=1
Make sure the key file can only be read by root.
chmod 600 /.root.key
Add the key file as a valid way to decrypt your root partition. I have separate /home so I add sda3 in as well, not sure if I understand this right.
cryptsetup luksAddKey /dev/sda2 /.root.key
cryptsetup luksAddKey /dev/sda3 /.root.key
Edit /etc/crypttab and add the key file in the third column.
cr_sda1 UUID=… /.root.key
So this is what I am not sure, my /etc/crypttab look like this
(not sure if UUID is sensitive im just gonna delete some of it)
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 UUID=fbXXXXXXX /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3 UUID=09XXXXXXX /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4 UUID=06XXXXXXX /.root.key
And then follow the rest as normal
Configure dracut to add the key file to the initrd. To do this, create a file /etc/dracut.conf.d/99-root-key.conf with the following content:
install_items+=" /.root.key "
Make /boot accessible for root only.
chmod -R g-rwx,o-rwx /boot
Rebuild the initrd.
mkinitrd
Thanks.
What you are describing looks okay. I am not seeing any obvious problem. And I do have that working, except with “ext4” rather than “btrfs”.
Make sure that the UUIDs that you use in “/etc//cryptab” are the correct ones.
To take one example, let’s look at your partition 2. There are actually 2 UUIDs associated with that. There is the UUID that you should get as output from:
blkid /dev/sda2
and there is also the UUID that you should get from:
blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2
It is the first of those that you will need in “/etc/crypttab”. And it is the second of those that you will need in “/etc/fstab” (assuming that you are using UUID for mounting).
Also, make sure that you are using UUID rather than PARTUUID, since the “blkid” command will give both.
nrickert:
What you are describing looks okay. I am not seeing any obvious problem. And I do have that working, except with “ext4” rather than “btrfs”.
Make sure that the UUIDs that you use in “/etc//cryptab” are the correct ones.
To take one example, let’s look at your partition 2. There are actually 2 UUIDs associated with that. There is the UUID that you should get as output from:
blkid /dev/sda2
and there is also the UUID that you should get from:
blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2
It is the first of those that you will need in “/etc/crypttab”. And it is the second of those that you will need in “/etc/fstab” (assuming that you are using UUID for mounting).
Also, make sure that you are using UUID rather than PARTUUID, since the “blkid” command will give both.
Thanks for reply.
My crypttab currently look like this:
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 UUID=fbd989a4-de4c-48d6-9d08-52dd1d3fedce /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3 UUID=09948f4d-6b35-4467-933d-48bdf399c5f8 /.root.key
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4 UUID=062c3387-1d82-4570-a738-1f8f84786bee /.root.key
The output of blkid /dev/sdaX is
blkid /dev/sda2
/dev/sda2: UUID="fbd989a4-de4c-48d6-9d08-52dd1d3fedce" TYPE="crypto_LUKS" PARTUUID="676083de-5378-4883-b15e-e8e59f7679d5"
blkid /dev/sda3
/dev/sda3: UUID="09948f4d-6b35-4467-933d-48bdf399c5f8" TYPE="crypto_LUKS" PARTUUID="13f8cb3b-737c-470b-ac1e-13ff0974a66a"
blkid /dev/sda4
/dev/sda4: UUID="062c3387-1d82-4570-a738-1f8f84786bee" TYPE="crypto_LUKS" PARTUUID="4c07c00a-b3ea-463c-8acc-7e682ee4660c"
Which looks like crypttab UUIDs are correct.
My fstab currently look like this.
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 / btrfs defaults 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /boot/grub2/x86_64-efi btrfs subvol=/@/boot/grub2/x86_64-efi 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /boot/grub2/i386-pc btrfs subvol=/@/boot/grub2/i386-pc 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /.snapshots btrfs subvol=/@/.snapshots 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /var btrfs subvol=/@/var 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /usr/local btrfs subvol=/@/usr/local 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /tmp btrfs subvol=/@/tmp 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /srv btrfs subvol=/@/srv 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /root btrfs subvol=/@/root 0 0
UUID=aeacda3b-99fd-4ba6-aa4d-22ecfb807973 /opt btrfs subvol=/@/opt 0 0
UUID=05b48cc5-8605-4316-9377-cbb1eff67d79 /home btrfs compress=zstd 0 0
UUID=b8d42f75-8281-48d9-885f-75c0c7370246 swap swap defaults 0 0
Output of blkid /dev/mapper/
blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2: UUID="aeacda3b-99fd-4ba6-aa4d-22ecfb807973" UUID_SUB="1e13770a-0beb-49ab-9509-473a1b0f20e3" TYPE="btrfs"
blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3: UUID="05b48cc5-8605-4316-9377-cbb1eff67d79" UUID_SUB="da848647-0b2d-4d25-a5b3-525da108d175" TYPE="btrfs"
blkid /dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4
/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4: UUID="b8d42f75-8281-48d9-885f-75c0c7370246" TYPE="swap"
From what you describe, crypttab and fstab looks to be ok. So maybe crypttab and fstab is not at fault here?
Output of mkinitrd if interest
mkinitrd
Creating initrd: /boot/initrd-4.20.4-1-default
dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-4.20.4-1-default 4.20.4-1-default
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: warpclock ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: btrfs ***
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 60-persistent-storage-dm.rules
dracut: Skipping udev rule: 55-dm.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: ostree ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut: rd.luks.uuid=luks-fbd989a4-de4c-48d6-9d08-52dd1d3fedce
dracut: root=/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 rootfstype=btrfs rootflags=rw,relatime,space_cache,subvolid=939,subvol=/@/.snapshots/601/snapshot,subvol=@/.snapshots/601/snapshot
dracut: *** Creating image file '/boot/initrd-4.20.4-1-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-4.20.4-1-default' done ***
Creating initrd: /boot/initrd-4.20.6-1-default
dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-4.20.6-1-default 4.20.6-1-default
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: dracut module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: warpclock ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: btrfs ***
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 60-persistent-storage-dm.rules
dracut: Skipping udev rule: 55-dm.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: ostree ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut: rd.luks.uuid=luks-fbd989a4-de4c-48d6-9d08-52dd1d3fedce
dracut: root=/dev/mapper/cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 rootfstype=btrfs rootflags=rw,relatime,space_cache,subvolid=939,subvol=/@/.snapshots/601/snapshot,subvol=@/.snapshots/601/snapshot
dracut: *** Creating image file '/boot/initrd-4.20.6-1-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-4.20.6-1-default' done ***
That all looks right, unless I am missing something.
When I last set this up (in a KVM virtual machine), it didn’t work. I went back and checked everything.
I don’t remember whether I found a small typo somewhere, or whether it just started working a day or two later. It was probably a small typo. It has been working fine since then.
You can use “lsinitrd” to check whether the needed files are in the “initrd”. In particular, you need that file “/.root.key” to be there.
nrickert:
That all looks right, unless I am missing something.
When I last set this up (in a KVM virtual machine), it didn’t work. I went back and checked everything.
I don’t remember whether I found a small typo somewhere, or whether it just started working a day or two later. It was probably a small typo. It has been working fine since then.
You can use “lsinitrd” to check whether the needed files are in the “initrd”. In particular, you need that file “/.root.key” to be there.
Since lsinitrd is long, I output to text with
lsinitrd > lsinitrd.txt
and copy that to paste bin.
I try search for /.root.key , no result.
But I do found .root.key without the /
Thanks.
Then that’s fine. “lsinitrd” lists without the leading “/”.
Hmm, I suggest that you add “none” as a 4th column entry for those “crypttab” entries, just in case that is needed. It depends on how fussy is the software that looks.
And then you have to rerun “mkinitrd”.
nrickert:
Then that’s fine. “lsinitrd” lists without the leading “/”.
Hmm, I suggest that you add “none” as a 4th column entry for those “crypttab” entries, just in case that is needed. It depends on how fussy is the software that looks.
And then you have to rerun “mkinitrd”.
My edit my crypttab to look like this,
run mkinitrd and reboot still ask for password twice.
Not sure if this is relevant, but it ask for password for grub and another for part4 which is /dev/sda4 which is swap partition.
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part2 UUID=fbd989a4-de4c-48d6-9d08-52dd1d3fedce /.root.key none
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part3 UUID=09948f4d-6b35-4467-933d-48bdf399c5f8 /.root.key none
cr_ata-WDC_WD5000AAKX-001CA0_WD-WMAYUT069311-part4 UUID=062c3387-1d82-4570-a738-1f8f84786bee /.root.key none
[HR][/HR]BROOOOOOOOO IM MA GENIUS IQ250
I have to do this for swap too
cryptsetup luksAddKey /dev/sda4 /.root.key
and
mkinitrd
and boooooommmmmm
ITS SOLVED !!! THANKS FOR THE HELP
I’m glad it is now working. And thanks for reporting back.