Leap 15.5 encryption - unable to avoid entering passphrase twice

Hello,
I recently installed openSUSE Leap 15.5 with full disk encryption.
Unfortunately, I am unable to get rid of entering the passphrase twice during startup, although I followed this guide.

I followed the guide multiple times, but still I need to enter the passphrase twice during startup.
Maybe someone can help me to figure out the issue.

What I did:

sudo lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 238,5G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 236G 0 part
│ └─cr_root 254:0 0 236G 0 crypt /srv
│ …
└─sda3 8:3 0 2G 0 part
└─cr_swap 254:1 0 2G 0 crypt [SWAP]

Setup for sda2:
sudo touch /.root.key
sudo chmod 600 /.root.key
sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1
sudo cryptsetup luksAddKey –-iter-time 300 /dev/sda2 /.root.key

/etc/crypttab looks like:
cr_root UUID=b46b… /.root.key x-initrd.attach
cr_swap UUID=a156… /.root.key none

echo -e ‘install_items+=" /.root.key "’ | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null
/etc/permissions.local includes /boot/ root:root 700
sudo chkstat --system --set
sudo dracut -f

Setup for sda3
sudo touch /.root.key
sudo chmod 600 /.root.key
sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1
sudo cryptsetup luksAddKey –-iter-time 300 /dev/sda3 /.root.key
sudo dracut -f

Did you do this part

That’s from the guide that you linked. And be sure to run “mkinitrd” after you make the dracut configuration changes.

Thanks for your answer.
Regarding “Configure dracut to add the key file to the initrd:”
I think the command “echo -e 'install_items+=” /.ro …", is related to that, which I did for sda2.
The guide mentions, that this step is not necessary for swap, so I didn’t do that for sda3.

However, I did not enter “mkinitrd”. So you think I should enter “mkinitrd” after “sudo dracut -f”?

EDIT: I run “mkinitrd”, still have to enter passphrase for cr_root.

I’m not sure, but I think “dracut -f” might only update the initrd for the running kernel (there’s another option you can use to force it to update for all kernels).

You can try using “lsinitrd” to check whether that key file is indeed in the “initrd” image.

The other, better?, solution is to use an Encrypted swap partition with random key

Not sure why I can not Edit my last top 21 minutes ago, but the reading the linked thread I realized that this might not be the best way to set this up.

It should be possible to set up a Volatile Swap Encryption with a Random Key with the YaST Partitioner

https://lizards.opensuse.org/2019/10/09/advanced-encryption-yast/

@nrickert
I checked “kernel-default” and it seems like there is only one kernel in the system. But maybe you could help me with “lsinitrd”, since I don’t know how to find out if the key file is indeed in the initrd image.

@marel
Surprisingly, I don’t have to enter the key for the swap partition. So far it seems, that there is an issue with the root partition.

On Leap 15.4 I had similar issues with full encryption. After some repetitions of the guide, the issue disappeared magically. Annoying that I have a similar issue in 15.5 as well.

EDIT:
I somehow solved the issue by using the same key file for sda2 and sda3
sudo touch /.root.key
sudo chmod 600 /.root.key
sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1
sudo cryptsetup luksAddKey /dev/sda2 /.root.key
sudo cryptsetup luksAddKey /dev/sda3 /.root.key
echo -e ‘install_items+=" /.root.key "’ | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null
sudo dracut -f

I don’t know if this is a security issue, but if not, then the guide could be updated.

You do realize that your setup for sda3 invalidates the key you just added to sda2, do not you?

Indeed I was not aware of this invalidation.