Re: Encrypted /boot password has to be entered twice

To: Steve McIntyre <steve@einval.com>, debian-user@lists.debian.org
Subject: Re: Encrypted /boot password has to be entered twice
From: Matthew Moore <a91738246@gmail.com>
Date: Tue, 25 Feb 2020 12:48:22 -0600
Message-id: <[🔎] 20200225184822.GA174860@omega.lexicon>
In-reply-to: <[🔎] E1j6e34-0005sV-4d@mail.einval.com>
References: <[🔎] 166580fd-2e5d-56c7-66f9-d0cb5a3488f4@mail.com> <[🔎] E1j6e34-0005sV-4d@mail.einval.com>

On Tue 2020-02-25 17:31, Steve McIntyre wrote:
> Grub needs the passphrase for /boot, and then Linux needs it
> separately. Unfortunately there isn't a way for Grub to pass the
> passphrase to Linux so it has to ask you again. People are looking at
> ways to make this work better...

One way to do this is to use both a passphrase and a keyfile. You use the
passphrase with grub to decrypt things, then configure the initramfs to hold the
keyfile (both located on the drive) and use it for mounting grub. The net effect
is to only have the password prompt once. Here's what to do:

* Generate the keyfile (call it /keyfile) and add it to you device.

* Add this to /etc/crypttab:

-- /etc/crypttab ---------------------------------------------------------------
root  UUID=<your uuid>  /keyfile  luks
--------------------------------------------------------------------------------

* Install cryptsetup-initramfs and add/edit this line:

-- /etc/cryptsetup-initramfs/conf-hook -----------------------------------------
KEYFILE_PATTERN=/keyfile
--------------------------------------------------------------------------------

* The keyfile should be protected and is stored, so give it a more restrictive
  umask by adding/editing the line

-- /etc/initramfs-tools/initramfs.conf -----------------------------------------
UMASK=0077
--------------------------------------------------------------------------------

* Update /etc/default/grub.

-- /etc/default/grub -----------------------------------------------------------{{{}}}
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/<your partition>"
--------------------------------------------------------------------------------

* Rebuild the initramfs, update grub:

  $ update-initramfs -k all -u
  $ update-grub


BTW, grub's verification of the passphrase is *slow*. You can speed things up at
the cost of some security by adjusting the --iter-time parameter. I have found
that --iter-time=1000 is fast enough on newer machines.

Hope this helps,
MM

Reply to:

Follow-Ups:
- Re: Encrypted /boot password has to be entered twice
  - From: john doe <johndoe65534@mail.com>

References:
- Encrypted /boot password has to be entered twice
  - From: john doe <johndoe65534@mail.com>
- Re: Encrypted /boot password has to be entered twice
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: Modern automounters and umount
Next by Date: Re: Understanding the two-year release cycle as a desktop user (and a Debian newcomer)
Previous by thread: Re: Encrypted /boot password has to be entered twice
Next by thread: Re: Encrypted /boot password has to be entered twice
Index(es):
- Date
- Thread