Seamless mount of encrypted disks and new session creation after each screen lock

I installed openSUSE 11.4 on HP elitebook 2560p few days ago (using KDE live CD). In general system is working fine, but steel I cannot resolve couple of really annoying issues:

**1. **I’ve created encrypted partitions for swap and home during OS installation. As result the system keep asking for passwords for each of encrypted partitions before show login screen. That leads to situation when I have to type 3 passwords during each boot/reboot.
I was using the same configuration (swap and home were encrypted) on Ubuntu 11.04 and there both encrypted partitions were mount automatically with no password typing after login to the system.
Could you please tell how I can configure the same behavior on openSUSE 11.4 ?

2. I’ve enabled auto screen lock after 5 mins being inactive. As result when I going back to laptop and to unlock the screen the system shows login screen (default login screen with user selection). But when user and password filled in I click login it creates entire new KDE session. Therefore all staff that was open before screen lock is gone. However old session is still in the system (it appears in output from ‘w’ command).
Can someone share any idea why it is happing?

Thank you in advance for any help on this!

On 09/08/2011 07:36 PM, irepublic wrote:
>
> I cannot resolve couple of really annoying issues:

-=WELCOME=- new poster, but in the future please put only one problem in
each thread (that keeps it so much neater, and easier for those who
google in later to find a focused thread), thanks…

(sorry, i can’t help with either of your questions…except to say that
apparently Ubuntu mounts encrypted partitions after log in, and openSUSE
before…i have no idea why Ubuntu does it there way, it sounds only one
third as secure as the openSUSE way [one password vs three]…)

–
DD
openSUSE®, the “German Automobiles” of operating systems

When I first tried encryption, I did it the same way. I have since learned better.

There’s a post on my blog about encryption. Take a look at it.
Disk encryption

I failed in my attempt to change from what you have done, to having swap use a random password. I finished up reinstalling with encrypted LVM, one of the options I mention in that blog post. The trouble with a random password, is that the system recognizes the LUKS header on that partition, and random password doesn’t work with LUKS.

I think the following would work, to change to a random password for swap. But no guarantees, and I haven’t tested it.

#Start in failsafe mode, or switch to init level 3.  Login as root at a virtual terminal.
swapoff  ## turn off swap
# edit "/etc/crypttab".  Find the entry for swap.  Change to use a random key.  My entry at present is:
cr_sda6         /dev/disk/by-id/ata-WDC_WD3200AAKS-75SBA0_WD-WCAPZ2050503-part6 /dev/urandom swap
# but note that the "cr_sda6" is probably wrong for your system.
# That change won't work by itself, because the LUKS header will be noticed by the system.
dd if=/dev/zero of=/dev/sda6  ## wipe out the LUKS header.
#The "/dev/sda6" is probably wrong for your system.  Replace by whatever is your swap partition.  The aim is to
# erase the LUKS header.
shutdown -r now  ### reboot, and hope it all works.

If that all works, it will get rid of the password prompt for swap.

You can set your system up for automatic login, to get rid of the prompt for logging in. That will leave you with needing only the password prompt for “/home” encryption.

As far as I know, Ubuntu uses an encrypted container with a loopback mount for the home directory, instead of encrypting “/home”. It decrypts the home directory use PAM entries when you login. You can set this up in opensuse when you create a new user in Yast. During install, give a dummy user, and create the user you want later. Keep that dummy user account around for repairs. I have not tested the encrypted container for home directory, as I prefer the encrypted “/home”.

As for the unlock screen problem - you did something wrong, but I am not sure what. You should be able to get back to the original session with CTRL-ALT-F7, or to the new one with CTRL-ALT-F8.

Thanks!
got it, I’ll create separate thread for each problem next time

nrickert,
Thank you for detailed answer!
I’ve done as you proposed for swap. The result is - success. Now the system is not asking for swap password during boot.
Have I got this right that drawback from this solution is that hibernate will not be working (I mean resume from hibernate)?

As for unlock screen problem - I tried few more times and found out that actually my original session was terminated when I tried to unlock the screen.
The following message appeared in Ctrl+Alt+F10 console: “linux-v6cu kdm[1557]: X server for display :0 terminated unexpectedly”
Do you know what it might be or how can I get more information regarding the error?

Yes, that’s correct. Resume from hibernate won’t work.

I’m pretty sure that resume from hibernate would not have worked the way you originally set it up. When I had a system setup that way, the check for hybernation data was done before the decryption of swap. However, in the system where I am using an encrypted LVM, the check for hybernation data is done after the LVM is decrypted, so I think that’s the best way to go if you want resume from hibernation.

Personally, I don’t like hibernation, so I disable it.

On the lock/unlock screen issue - no, sorry. I am not sure what is going on there.

My suggestion would be to start a new thread on that issue, with a thread title that indicates that it is a session unlock problem. That’s the best way of getting the attention of the people who know a lot about unlock issues.

If you do start a new thread, then add one more post to this thread that points to the new thread.

Fair enough. I think I’ll live with no hibernation till next stable release of opensuse (12.X). As 12.X released I’ll reinstall it from scratch using LVM

Also I’ve resolved lock/unlock screen issue by KDE update from 4.6.0 to 4.7.1 (I took “one click” install from kde.org to do this).