LUKS, btrfs, RAID1 & how does systemd mount 2 volumes with same pw?

hi,

so i had to get a new pc and i’ve set up a btrfs RAID1 on 2 disks with 2 partions each wheras 1 (/home) is encrypted (same pw). my thinking was that i get asked for my password twice, each for both partions. however that is not the case.

question: is the password used on both dm-crypt partitions? when yes, why?


# btrfs fi show
Label: none  uuid: 1988bbda-a6a4-47e1-be87-852418a626cf
    Total devices 2 FS bytes used 14.40GB
    devid    2 size 44.53GB used 16.01GB path /dev/dm-1
    devid    1 size 44.53GB used 16.03GB path /dev/dm-0

Label: none  uuid: 6c98837a-dad2-4328-9f09-cb6a77f6dd60
    Total devices 2 FS bytes used 11.23GB
    devid    2 size 30.00GB used 15.03GB path /dev/sdb1
    devid    1 size 30.00GB used 15.04GB path /dev/sda7

Btrfs v0.19+


:/dev/mapper # la
total 0
drwxr-xr-x  2 root root     120 Jan 12 22:59 .
drwxr-xr-x 17 root root    4540 Jan 12 22:59 ..
crw-------  1 root root 10, 236 Jan 12 22:44 control
lrwxrwxrwx  1 root root       7 Jan 12 22:44 cr_home1 -> ../dm-1
lrwxrwxrwx  1 root root       7 Jan 12 22:44 cr_home2 -> ../dm-0
lrwxrwxrwx  1 root root       7 Jan 12 22:59 truecrypt1 -> ../dm-2


/etc/crypttab
cr_home1                            /dev/disk/by-id/ata-ST3250318AS_9VYCPAY5-part8 none       none
cr_home2                            /dev/disk/by-id/ata-ST380811AS_6PS2K7ME-part2 none       none


/etc/fstab
UUID=6c98837a-dad2-4328-9f09-cb6a77f6dd60 /                    btrfs      defaults,compress=lzo,autodefrag              1 1
/dev/disk/by-id/ata-ST3250318AS_9VYCPAY5-part6 swap                 swap       defaults              0 0
/dev/disk/by-id/ata-ST3250318AS_9VYCPAY5-part5 /boot                ext4       acl,user_xattr        1 2
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
usbfs                /proc/bus/usb        usbfs      noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
/dev/disk/by-id/ata-ST3250318AS_9VYCPAY5-part9 /tmp                 ext2       acl,user_xattr        1 2
/dev/mapper/cr_home1                            /home                btrfs       nofail,defaults,device=/dev/mapper/cr_home1,device=/dev/mapper/cr_home2,autodefrag,compress=lzo                0 2


#mount
devtmpfs on /dev type devtmpfs (rw,relatime,size=1017840k,nr_inodes=254460,mode=755)
tmpfs on /dev/shm type tmpfs (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/sda7 on / type btrfs (rw,relatime,compress=lzo,space_cache,autodefrag)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
tmpfs on /var/lock type tmpfs (rw,nosuid,nodev,relatime,mode=755)
tmpfs on /var/run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /media type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
/dev/sda5 on /boot type ext4 (rw,relatime,data=ordered)
/dev/sda9 on /tmp type ext2 (rw,relatime)
/dev/mapper/cr_home2 on /home type btrfs (rw,relatime,compress=lzo,space_cache,autodefrag)
none on /var/lib/ntp/proc type proc (ro,nosuid,nodev,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
gvfs-fuse-daemon on /run/user/sebastian/gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)

Actually most people want to avoid multiple password requests. You seem to be the only one who does not like it :slight_smile:

Which openSUSE version do you use?

security is the issue. one has got to know whats going on.

12.2


uname -r
3.7.1-1-desktop

from factory

I have no experience with RAID. I give my experience with more standard partitioning.

I started using crypto with opensuse 11.3, where I setup both “/home” and swap to be encrypted. I was prompted twice for the key (which I found annoying). I switched swap to use a random key (with straight dm-crypt), so as to avoid the two prompts.

I later discovered, with opensuse 11.4, that if I entered “initrd” in the options column of “/etc/crypttab”, I could do it with the encryption key only requested once. The crypto was being handled in the “initrd”, and the scripts/code that runs there will take the key provided, and test it for every partition that it needs to decrypt. And if two or more have the same key, there is only one prompt for the key. Crypto behaved the same with opensuse 12.1.

With opensuse 12.2, the plymouth splash software takes over. If I disable plymouth, then the crypto behaves as in 11.4 and 12.1. If plymouth is being used, then (a) it tends to be confused by the “initrd” entry in the options column, and (b) without the “initrd” option, it does the cryto key prompting, and tries to use the same key for multiple partitions if it can.

If you are using 12.2, and if you really want two prompts, you might try disabling plymouth. I don’t know if that will work, because RAID might still be treated specially.

Do you use Plymouth? Or are you prompted on plain console?

On 2013-01-14 04:16, brian j wrote:
> security is the issue. one has got to know whats going on.

Both partitions have the same password if you created both with the same
password, so it is your fault.

If the system gets one password for an encripted partition, the boot
sequence tries the same password on both. If it works, finen, if it
doesn’t, it asks for the second partition.


Cheers/Saludos
Carlos E. R. (12.1 test at Minas-Anor)