Still have to decrypt twice

Okay, so… running the latest Tumbleweed, and still getting two prompts for the decryption password twice during boot.

I’ve done some searching on the forums, reddit, etc. and it appears that this has been a ‘thing’ for a while now. Although I’ve seen more than a few mentions in the last year or two that it was supposedly fixed in Tumbleweed, then a couple mentions that indicated that it wasn’t…

I have what should be a fairly straight-forward setup at this point: 256GB NVME drive, with btrfs and everything on the one drive - no separate partition for /home.

monte@shop:~> lsblk -f /dev/nvme0n1
NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
                                                                            
├─nvme0n1p1
│    vfat   FAT32       3685-540A                               505M     1% /boot/efi
├─nvme0n1p2
│    crypto 1           44e38dcb-f6c2-4365-88d7-489742bb292d                
│ └─cr_root
│    btrfs              dd2c71ca-81bb-4907-9d1d-61370b054077  227.4G     3% /var
│                                                                           /root
│                                                                           /usr/local
│                                                                           /srv
│                                                                           /home
│                                                                           /opt
│                                                                           /boot/grub2/i386-pc
│                                                                           /boot/grub2/x86_64-efi
│                                                                           /.snapshots
│                                                                           /
└─nvme0n1p3
     crypto 1           4ff66118-ea77-4151-a1ca-52b171f7fc12                
  └─cr_swap
     swap   1           9f2550e4-b099-4050-a5c0-749b9d5af971                [SWAP]

I have been following the wiki article on encrypted roof file system, specifically the section on avoiding having to type the password twice..

I’m good down through about step 6. Did that, rebooted, still got the two prompts. Realized I probably have an encrypted swap partition as well, so I need to account for that.

Initially I was following the subsequent additional steps for encrypted swap and hibernation, but that wasn’t getting me anywhere but confused. Specifically, it’s a little vague (to me) on where/how to pass the resume kernel parameter.

Thinking on it more… I’m not doing this on a laptop, so I don’t know how relevant the whole ‘resume’ thing actually is for me.

I went back through the first section of the wiki article after reading this thread… and caught a section that I had missed previously:

If you have other encrypted partitions (e.g. /home, swap, etc), you can create additional keys to mount them without entering a passphrase. This works exactly as described above in steps 1-4, except that you don’t need to add the key for those partitions to the initrd. However, step 7 is still required for the changes to be applied.

However, now I’m confused as to what ‘step 7’ is supposed to be?

At this point… my /etc/crypttab file looks like this:

cr_swap  UUID=4ff66118-ea77-4151-a1ca-52b171f7fc12  /.root.key  none
cr_root  UUID=44e38dcb-f6c2-4365-88d7-489742bb292d  /.root.key  x-initrd.attach

I’m pretty sure that grub is asking me for the password for the root partition initially, based on the last few characters of the UUID. Then it boots to the regular grub menu, and after I select ‘Boot from hard disk’ then I get another gui-ish prompt for a password again. Providing the disk encryption password both times seems to work, and then I finally get to the desktop login. I haven’t (yet) created another password file like /.root.key for the swap partition. Like I said, that part of the article seemed to be getting a little bit fuzzy so I held off for now.

I’m guessing I went off course somewhere here - or not far enough; a little help would be much appreciated.

I have a separate data partition that is encrypted, and I do need to enter the passphrase a second time for that. Maybe you didn’t do anything wrong.

If you don’t plan to hibernate/resume, then you can change the grub parameter (kernel parameter). There is probably a parameter

resume=/dev/mapper/cr_swap

which needs the encryption key. If you change that to:

noresume

then it should not need the encryption key until later during boot, and by that time what you have in “/etc/crypttab” should be sufficient.

I checked the grub parameters under YaST: Boot Loader, and there’s nothing related to resume. This is all that is shown under ‘Optional Kernel Command line Parameter’:

splash=silent quiet security=apparmor 

During installation when choosing LUKS encryption, it would’ve been prudent to choose LVM as well since swap, root fs, other stuff could all have been logical volumes inside a single encrypted partition. As it stands now, the system has to unlock each encrypted partition separately on boot.

But you can do so in an automated manner using key files to decrypt all others except /boot which has to be unlocked with password and where inside the initramfs you can add the key files.

The procedure is detailed in this thread.

Which explains the second password prompt. Did you try to read the device name in this prompt?

How? The second prompt is the gui/grub prompt.

Post photo of this prompt.

IMG_20240421_074235_7251920×1446 390 KB

Hmmm… I’d swear it didn’t say anything other than just the password field (and the keyboard/language) before, but it appears to be asking for the swap partition password.

Alrighty… got it working (repeated the same steps as for the root partion).

Still wondering what that step 7 is referring to and whether this is/was supposed to be ‘fixed’ for Tumbleweed?

What is step 7?

Exactly.

Screenshot_20240421_211254854×258 36 KB

It’s the block of text immediately above this.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.