[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: luks, crypttab: why 3 partition only 2 passphrases entered



On 8/1/18 3:47 PM, Carles Pina i Estany wrote:
> 
> Hi,
> 
> I have a Debian Stretch and recently I added a new cyphered partition.
> All works well but I don't understand why and it's bothering me.

*snip*

> A question would be:
> a) How to enter the passphrase only once?
> b) When/where (scripts) and how is the passphrase stored?

a) Short version:

Use LVM to set up your partitions. This can be done in the installer.
Have your overall hierarchy look like this:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sdaX) + /boot partition (likely /dev/sda1)
 |
LVM Physical Volume (/dev/LVM)
 |
LVM Logical Volumes (/dev/LVM/root mounted as /, and /dev/LVM/swap
mounted as /swap)


Long version:

Here is an example of how an encrypted LVM partition can look. We will
look at how I have it set up.

First, output of lsblk:

matthew@matt-tower:~$ lsblk /dev/sda
NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                     8:0    0 465.8G  0 disk
├─sda1                  8:1    0 953.7M  0 part  /boot
├─sda2                  8:2    0     1K  0 part
└─sda5                  8:5    0 464.8G  0 part
  └─sda5_crypt        254:0    0 464.8G  0 crypt
    ├─root--swap-root 254:1    0   447G  0 lvm   /
    └─root--swap-swap 254:2    0  17.8G  0 lvm   [SWAP]

sda1 is /boot (necessary as encrypted /boot is not really possible right
now), sda2 is an unused 1K partition (necessary due to partitioning
oddities, don't worry about it), and sda5 is my actual encrypted
partition. sda5 then has a LUKS encrypted partition called sda5_crypt.
Within the LUKS partition, is a LVM group called root-swap, which we can
see when we run pvdisplay::

matthew@matt-tower:~$ sudo pvdisplay
  --- Physical volume ---
  PV Name               /dev/mapper/sda5_crypt
  VG Name               root-swap
  PV Size               464.83 GiB / not usable 2.00 MiB
  Allocatable           yes (but full)
  PE Size               4.00 MiB
  Total PE              118995
  Free PE               0
  Allocated PE          118995
  PV UUID               XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX

Within this LVM group are two sub partitions, which act as my /root and
/swap partitions.

matthew@matt-tower:~$ sudo lvdisplay
  --- Logical volume ---
  LV Path                /dev/root-swap/root
  LV Name                root
  VG Name                root-swap
  LV UUID                XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
  LV Write Access        read/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:13 -0700
  LV Status              available
  # open                 1
  LV Size                447.04 GiB
  Current LE             114441
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:1

  --- Logical volume ---
  LV Path                /dev/root-swap/swap
  LV Name                swap
  VG Name                root-swap
  LV UUID                XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
  LV Write Access        read/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:19 -0700
  LV Status              available
  # open                 2
  LV Size                17.79 GiB
  Current LE             4554
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:2

Lastly, the output of my /etc/crypttab and /etc/fstab

matthew@matt-tower:~$ cat /etc/crypttab
sda5_crypt UUID=ea2034e1-c550-466c-b9a4-61c40f0891b6 none luks

matthew@matt-tower:~$ cat /etc/fstab
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/root--swap-root /               ext4
discard,errors=remount-ro 0       1
# /boot was on /dev/sda1 during installation
UUID=5c24b6a3-f1ec-42b7-9d03-251295853167 /boot           ext2
noatime,nodiratime 0       2
/dev/mapper/root--swap-swap none            swap    sw              0
    0

Here is the overall hierarchy:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sda5)
 |
LVM Physical Volume (/dev/root-swap)
 |
LVM Logical Volumes (/dev/root-swap/root mounted as /, and
/dev/root-swap/swap mounted as /swap)

At boot time, /boot is automatically mounted, and when it is time to
mount /, it will ask for the LUKS partition password. Once unlocked, it
will mount the LVM physical volume, then subsequently mount both LVM
logical volumes in one swoop. One password for two logical partitions.



b) Read the manpage for cryptsetup. It has everything you need to
understand how LUKS encryption works.


Cheers,

-Matt



Reply to: