Re: Encrypted /boot password has to be entered twice
On 2/25/2020 7:48 PM, Matthew Moore wrote:
>
> On Tue 2020-02-25 17:31, Steve McIntyre wrote:
>> Grub needs the passphrase for /boot, and then Linux needs it
>> separately. Unfortunately there isn't a way for Grub to pass the
>> passphrase to Linux so it has to ask you again. People are looking at
>> ways to make this work better...
>
> One way to do this is to use both a passphrase and a keyfile. You use the
> passphrase with grub to decrypt things, then configure the initramfs to hold the
> keyfile (both located on the drive) and use it for mounting grub. The net effect
> is to only have the password prompt once. Here's what to do:
>
> * Generate the keyfile (call it /keyfile) and add it to you device.
>
> * Add this to /etc/crypttab:
>
> -- /etc/crypttab ---------------------------------------------------------------
> root UUID=<your uuid> /keyfile luks
> --------------------------------------------------------------------------------
>
> * Install cryptsetup-initramfs and add/edit this line:
>
> -- /etc/cryptsetup-initramfs/conf-hook -----------------------------------------
> KEYFILE_PATTERN=/keyfile
> --------------------------------------------------------------------------------
>
> * The keyfile should be protected and is stored, so give it a more restrictive
> umask by adding/editing the line
>
> -- /etc/initramfs-tools/initramfs.conf -----------------------------------------
> UMASK=0077
> --------------------------------------------------------------------------------
>
> * Update /etc/default/grub.
>
> -- /etc/default/grub -----------------------------------------------------------{{{}}}
> GRUB_ENABLE_CRYPTODISK=y
> GRUB_CMDLINE_LINUX="cryptdevice=/dev/<your partition>"
> --------------------------------------------------------------------------------
>
> * Rebuild the initramfs, update grub:
>
> $ update-initramfs -k all -u
> $ update-grub
>
>
"Booting from Hard Disk...
Attempting to decrypt master key...
Enter passphrase for hd0,msdos1 ():
Slot 0 opened"
I need to enter the password here for the first time.
" GNU GRUB version 2.02+dfsg1-20
cryptsetup: sda5_crypt: set up successfully"
With key file, I don't need to enter the password for the root device.
"/dev/mapper/debian--bustervm--vg-root: recovering journal
/dev/mapper/debian--bustervm--vg-root: clean, 31578/507904 files, 287395s
Please enter passphrase for disk QEMU_HARDDISK (sda1_crypt):"
But here, I need to reenter the password for a second time.
According to "Steve McIntyre <steve@einval.com>" and I thanks him for
his answer, for the time being, the passphrase for the boot device has
to be provided twice (one for grub and one for linux).
To "Matthew Moore <a91738246@gmail.com>" and thanks for your answer:
For now, I did that per instructions at (1), As far as I understanded,
your instructions will give me the same result as what is described at (1)?
I'm just starting here, so any input is welcome.
I'm also adding the e-mail contact found at (1) and thanks "Guilhem
Moulin <guilhem@debian.org>" for his direct help.
1)
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#avoiding-the-extra-password-prompt
--
John Doe
Reply to: