Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi,
On Aug/01/2018, David Christensen wrote:
> On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:
> > Hi,
>
> Hello. :-)
>
>
> > I have a Debian Stretch and recently I added a new cyphered partition.
> > All works well but I don't understand why and it's bothering me.
> >
> > Setup:
> > $ cat /etc/crypttab
> > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> >
> > All three partitions have the same passphrase.
> >
> > On restart I'm asked for two passwords:
> > m2_root_crypt
> > m2_swap_crypt
>
> You should have set up your encrypted swap partition to use a random
> passphrase every boot. (A side benefit is that you never have to enter a
> passphrase for swap.)
Well, I thought "I might do a later day" and "I can test hibernation
this way". I'm fine entering the password 3 times if needed, I don't
restart that often at all I use suspend.
> The Debian Installer for Stretch put the following line in my crypttab:
>
> sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap
thanks I'll test it some day for fun :-)
> I changed the source device field to point to a path under
> /dev/disk/by-id so that my swap partition is found even if the
> /dev/sd* entries change (which can happen when I move or add disks):
>
> sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_******************-part2
> /dev/urandom cipher=aes-xts-plain64,size=256,swap
>
>
> > The question is:
> > "Please unlock disk m2_root_crypt:"
> >
> > I expcted to write the password three times.
>
> Given your crypttab, above, I agree that you should have to enter three
> passphrases.
this is what I'd like to know: why I need to enter the passphrase twice
and not three times.
> > My only theory is that after the root partition is decyphered it's also
> > mounted and then systemd-ask-password is used somehow (how?) and
> > --keyname= is used to "Configure a kernel keyring key name". I haven't
> > tested or seen scripts that do this.
> >
> > I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
> > (where I can see the string "Please unlock disk") and I don't see
> > anything like this happening. Maybe initrd lib/cryptsetup/askpass is
> > doing it?
> >
> > A question would be:
> > a) How to enter the passphrase only once?
> > b) When/where (scripts) and how is the passphrase stored?
> >
> > This is just to know as the system is working perfectly.
> >
> > Thanks for reading all of this!
>
> My guess is that you made a mistake and stepped on your encrypted container
> (ssd_dades_crypt?) when you created the new file system. Did you keep a
> copy of your console session? Posting it would help.
Sadly I didn't keep a copy of my console session.
> Please run the following commands and post your console session (substitute
> DIR with the directory where your new file system is mounted):
>
> # grep crypt /etc/fstab
>
> # ll /dev/mapper
>
> # mount | grep DIR
Commands and something extra:
root@pinux:~# grep crypt /etc/fstab
/dev/mapper/m2_root_crypt / ext4 errors=remount-ro 0 1
/dev/mapper/m2_swap_crypt none swap sw 0 0
/dev/mapper/ssd_dades_crypt /home/carles/dades ext4 errors=remount-ro 0 1
root@pinux:~# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 ago 1 23:34 control
lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_root_crypt -> ../dm-0
lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_swap_crypt -> ../dm-1
lrwxrwxrwx 1 root root 7 ago 1 23:34 ssd_dades_crypt -> ../dm-2
root@pinux:~# mount | grep DIR
root@pinux:~# mount | grep dades
/dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 (rw,relatime,errors=remount-ro,data=ordered)
root@pinux:~# free -m
total used free shared buff/cache available
Mem: 11711 969 8622 142 2119 10286
Swap: 12285 0 12285
root@pinux:~# cat /proc/swaps
Filename Type Size Used Priority
/dev/dm-1 partition 12580860 0 -1
root@pinux:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 477G 0 disk
└─sda1 8:1 0 477G 0 part
└─ssd_dades_crypt 254:2 0 477G 0 crypt /home/carles/dades
sdb 8:16 0 477G 0 disk
├─sdb1 8:17 0 190M 0 part /boot
├─sdb2 8:18 0 1K 0 part
├─sdb5 8:21 0 12G 0 part
│ └─m2_swap_crypt 254:1 0 12G 0 crypt [SWAP]
└─sdb6 8:22 0 464,8G 0 part
└─m2_root_crypt 254:0 0 464,8G 0 crypt /
As said, I just want to understand why I'm typing it twice and not three times
:)
Thanks for any ideas!
--
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157
Reply to: