Polyna-Maude Racicot-Summerside <debian@polynamaude.com> wrote on 28/12/2021 at 07:39:16+0100: > [[PGP Signed Part:No public key for 4B5CC29996718046 created at 2021-12-28T07:39:16+0100 using RSA]] > Hi, > I got two logical volume on my hard disk. > One is the swap > Other is the root > Both have the same passphrase. > How can I make grub ask only once ? > Thanks Hi, First, for the sake of clarity, I guess you are talking about LUKS filesystems on logical volumes? If so, I guess you're not dealing with grub but with initramfs scripts and then init asking for passphrases. Indeed, GRUB only asks the passphrase of a potential encrypted /boot to fetch its configuration in order to know what to boot. Now let's move to the initramfs + init passphrases prompts. Initramfs' job is to find the root partition and "pivot" on it, ie exec /sbin/init which is located on the root partition and which will mount the other filesystems, start services, … you know the drill. To find the root partition, initramfs has a lot of helper scripts, and if the root partition is encrypted, it also has access to cryptsetup binaries and passfifo. It therefore prompts for a password to recrypt your rootfs. Later on, init wants to make your swap available and therefore also needs to ask you for a passphrase. Theoretically, if you use systemd >= 227, you don't get prompted for such passphrase, because the systemd's changelog for version 227 reads: > * The "ask-password" framework used to query for LUKS harddisk > passwords or SSL passwords during boot gained support for > caching passwords in the kernel keyring, if it is > available. This makes sure that the user only has to type in > a passphrase once if there are multiple objects to unlock > with the same one. Previously, such password caching was > available only when Plymouth was used; this moves the > caching logic into the systemd codebase itself. The > "systemd-ask-password" utility gained a new --keyname= > switch to control which kernel keyring key to use for > caching a password in. This functionality is also useful for > enabling display managers such as gdm to automatically > unlock the user's GNOME keyring if its passphrase, the > user's password and the harddisk password are the same, if > gdm-autologin is used. There could be reasons why this doesn't work, like the kernel keyring is not accessible, or you are relying on an init system not using this feature, … Anyway, in case it doesn't work you can use the good ol' /etc/crypttab file to add some automation. First step is to add another luks passphrase to your swap partition. Then, add this passphrase in a file available from your rootfs (eg /etc/luks.keys/swap.key) (mind using an editor that doesn't add a line return to the file, otherwise it won't work, you are technically allowed to use dd to generate a random binary passphrase into a file and then use this file to seed a passphrase to your partition), and then reference this file in /etc/crypttab for your swap partition (man crypttab for more intel on this). There are some examples here[0], but please mind to assert if it fits your usecase. Cheers, -- PEB [0] https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
Attachment:
signature.asc
Description: PGP signature