[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: luks, crypttab: why 3 partition only 2 passphrases entered

On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

Hello.  :-)

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:

You should have set up your encrypted swap partition to use a random passphrase every boot. (A side benefit is that you never have to enter a passphrase for swap.)

The Debian Installer for Stretch put the following line in my crypttab:

sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap

I changed the source device field to point to a path under /dev/disk/by-id so that my swap partition is found even if the /dev/sd* entries change (which can happen when I move or add disks):

sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_******************-part2 /dev/urandom cipher=aes-xts-plain64,size=256,swap

The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.

Given your crypttab, above, I agree that you should have to enter three passphrases.

My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!

My guess is that you made a mistake and stepped on your encrypted container (ssd_dades_crypt?) when you created the new file system. Did you keep a copy of your console session? Posting it would help.

Please run the following commands and post your console session (substitute DIR with the directory where your new file system is mounted):

# grep crypt /etc/fstab

# ll /dev/mapper

# mount | grep DIR


Reply to: