Re: luks, crypttab: why 3 partition only 2 passphrases entered

To: debian-user@lists.debian.org
Subject: Re: luks, crypttab: why 3 partition only 2 passphrases entered
From: David Christensen <dpchrist@holgerdanske.com>
Date: Wed, 1 Aug 2018 18:22:33 -0700
Message-id: <[🔎] 98bce5a8-4f1c-715e-7db3-9361cb09cea7@holgerdanske.com>
In-reply-to: <[🔎] 20180801224728.qf6dfytz5j7ma5mj@pina.cat>
References: <[🔎] 20180801224728.qf6dfytz5j7ma5mj@pina.cat>

On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

Hi,


Hello.  :-)

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt

You should have set up your encrypted swap partition to use a randompassphrase every boot. (A side benefit is that you never have to entera passphrase for swap.)



The Debian Installer for Stretch put the following line in my crypttab:

sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap

I changed the source device field to point to a path under/dev/disk/by-id so that my swap partition is found even if the /dev/sd*entries change (which can happen when I move or add disks):

sda2_crypt/dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_******************-part2/dev/urandom cipher=aes-xts-plain64,size=256,swap

The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.

Given your crypttab, above, I agree that you should have to enter threepassphrases.

My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!

My guess is that you made a mistake and stepped on your encryptedcontainer (ssd_dades_crypt?) when you created the new file system. Didyou keep a copy of your console session? Posting it would help.

Please run the following commands and post your console session(substitute DIR with the directory where your new file system is mounted):


# grep crypt /etc/fstab

# ll /dev/mapper

# mount | grep DIR


David

Reply to:

Follow-Ups:
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>

References:
- luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>

Prev by Date: Re: a dh keys question?
Next by Date: Re: update hell
Previous by thread: Re: luks, crypttab: why 3 partition only 2 passphrases entered
Next by thread: Re: luks, crypttab: why 3 partition only 2 passphrases entered
Index(es):
- Date
- Thread