Tumbleweed (2/24/19) install in encrypted fs asks for passphrase twice

Installed from kde live DVD and it finished. The partition setup was chosen by SUSE. No swap. One EFI partition of 300 MB was created with vfat and the remaining disk was one partition, btrfs, encrypted.

When booting, it asks for passphrase before the grub menu is presented and then again it asks for the passphrase. /etc/crypttab has only one line.

Is it possible to make it ask only once, since everything is on one partition (no swap) ?


The problem here, is that grub needs the passphrase in order to get to its boot menu (and the kernel, initrd).

The kernel needs the passphrase to access the file system.

There isn’t a secure way for grub to pass that along to the kernel.

There is a workaround that some people have used. You can put a passphrase (or a random string) into a file, and configure that in “/etc/crypttab”. And then you have to configure “dracut” to include that file in the “initrd”.

I’m currently doing that in a virtual machine (for testing). On real machines, I am preferring to give the passphrase twice, for better security. If you want details, I can go through how to set that up.

It’s full disk encryption so…one disk, one passphrase but multiple times having to enter it ! Not good.

That’s twice per boot. But how often do you boot?

Okay, that’s for Tumbleweed, so you probably reboot after each update.

I’m used to giving passphrase twice, and it doesn’t bother me. But if you want to try putting it in a file and the “initrd”, just ask for details.

ok, gimme the details just in case but do not link me to that archlinux wiki. I didn’t comprehend it- I am not even sure about the different scenarios listed there as to where opensuse implementation fits in. I just want a step by step solution that works for opensuse.


Okay. I have booted up my virtual machine. I’ll just describe how I have it setup.

I should note that I use an encrypted LVM, but that should not make any difference.

1: I have a file “/etc/cr_twleap_lvm” which contains a passphrase.

I’ll note that the name is not critical, as long as there is no conflict. In this case, “twleap” is just the name that I used for the LVM name. I do not use my normal passphrase there. I use a different one, and I then used

cryptsetup luksAddKey device file-path

to make that an additional key. You can use a random number generator for this key if you want.

That file is readable only by root (important).

2: I added that to “/etc/crypttab”. My “crypttab” looks like this:

cr_twleap       UUID=e80a722f-877d-4572-a689-03e088c26c7c       /etc/cr_twleap_lvm      none

3: Force dracut to include that file.

In the directory “/etc/dracut.conf.d”, I created a file “98-crypt.conf”. And note that this file is also set to be readable only by root, though that’s probably not critical.

The file contains the one line:

install_items+=" /etc/cr_twleap_lvm "

The spaces around that path are important.

4: Run “mkinitrd” to rebuild the “initrd”.

And that’s about it. I still have to enter the encryption key before I get the grub boot menu. But, after that, it boots without further prompt for passphrase.

If something goes wrong, then it just prompts for the key anyway.