Re: LVM passphrase
Hi Andrew, On 2021-12-28 5:00 p.m., Andrew M.A. Cater wrote: > On Wed, Dec 29, 2021 at 08:55:29AM +1100, David wrote: >> On Tue, 28 Dec 2021 at 21:06, Pierre-Elliott Bécue wrote: >>> Polyna-Maude Racicot-Summerside wrote on >>> 28/12/2021 at 07:39:16+0100: >> I got two logical volume on my hard disk. One is the swap Other is the root Both have the same passphrase. How can I make grub ask only once ? >> > Encrypting boot partitions would be hard - how would you get to the > point of entering a passphrase ... this is why "encrypted LVM setup" _doesn't_ > encrypt boot in the default settings from the Debian partitioner. > My boot partition is not encrypted. I created the same scheme as Debian usually do for beginner (one partition for all) except I wanted a larger swap space. Now it ask twice for the passphrase. I have one partition (/boot sda1) + another partition (logical /sda5) I have one volume group I have two logical volume, one being the swap (16 GB) and the other one being my root (760 GB). Would 6 GB RAM + 16 GB SWAP be enough for a simple laptop used for copying files from my cameras and doing basic work on photo (the big stuff is done on my desktop). >> If we are talking about somehow using both LVM and LUKS >> in combination, then decrypting a single LUKS volume that >> has been partitioned into root and swap with LVM will only >> require one password given once to the init started by the >> initrd, when booting the system. >> > > This is why the encrypted LVM setup in Debian has an unencrypted boot > and swap is contained within the single encrypted volume, I think > >> Maybe providing the output of 'lsblk -f' would help to clarify >> the situation, so that we can see what is on the disk. >> I will do so... > > Hope this helps - all best, as ever, > > Andy Cater > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: LVM passphrase
David wrote on 28/12/2021 at 22:55:29+0100: > On Tue, 28 Dec 2021 at 21:06, Pierre-Elliott Bécue wrote: >> Polyna-Maude Racicot-Summerside wrote on 28/12/2021 >> at 07:39:16+0100: > >> > I got two logical volume on my hard disk. >> > One is the swap >> > Other is the root >> > Both have the same passphrase. >> > How can I make grub ask only once ? > >> First, for the sake of clarity, I guess you are talking about LUKS >> filesystems on logical volumes? >> >> If so, I guess you're not dealing with grub but with initramfs scripts >> and then init asking for passphrases. Indeed, GRUB only asks the >> passphrase of a potential encrypted /boot to fetch its configuration in >> order to know what to boot. >> >> Now let's move to the initramfs + init passphrases prompts. Initramfs' >> job is to find the root partition and "pivot" on it, ie exec /sbin/init >> which is located on the root partition and which will mount the other >> filesystems, start services, … you know the drill. >> >> To find the root partition, initramfs has a lot of helper scripts, and >> if the root partition is encrypted, it also has access to cryptsetup >> binaries and passfifo. It therefore prompts for a password to recrypt >> your rootfs. >> >> Later on, init wants to make your swap available and therefore also >> needs to ask you for a passphrase. > > I am not clear exactly what is being asked here. Is the question > about Grub asking for passwords, or about the initrd asking > for passwords? Grub will ask before booting the kernel, the > initrd will ask after Grub invokes the kernel. > > I don't know about Grub asking for passwords, because I don't > encrypt boot partitions. But if the question is about the initrd > password prompt, then ... > > If we are talking about somehow using both LVM and LUKS > in combination, then decrypting a single LUKS volume that > has been partitioned into root and swap with LVM will only > require one password given once to the init started by the > initrd, when booting the system. > > Maybe providing the output of 'lsblk -f' would help to clarify > the situation, so that we can see what is on the disk. I think my answer covers most of the cases. Polyna-Maude is free to come back at us in case more help is needed. Cheers, -- PEB signature.asc Description: PGP signature
Re: LVM passphrase
Hello, On Tue, Dec 28, 2021 at 10:00:51PM +, Andrew M.A. Cater wrote: > On Wed, Dec 29, 2021 at 08:55:29AM +1100, David wrote: > > I don't know about Grub asking for passwords, because I don't > > encrypt boot partitions. But if the question is about the initrd > > password prompt, then ... > > Encrypting boot partitions would be hard - how would you get to the > point of entering a passphrase ... this is why "encrypted LVM setup" _doesn't_ > encrypt boot in the default settings from the Debian partitioner. grub2 does support unlocking LUKS so some people do encrypt /boot and have grub2 unlock it, but this isn't yet supported in the Debian installer so it seems unlikely that Polyna-Maude has done this. https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html If Polyna-Maude *has* done this, then the above link does also give some hints as to how to reduce the number of times a passphrase is asked. Otherwise if the use of LUKS is more conventional (unencrypted /boot, initramfs unlocks /) then Polyna-Mause may want to look in to ephemeral passphrase for swap that is set on every boot. Or perhaps just using a swapfile inside / so as to not have an extra block device to encrypt. Possibly more information needed as to what the OP's setup actually is. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: LVM passphrase
On Wed, Dec 29, 2021 at 08:55:29AM +1100, David wrote: > On Tue, 28 Dec 2021 at 21:06, Pierre-Elliott Bécue wrote: > > Polyna-Maude Racicot-Summerside wrote on > > 28/12/2021 at 07:39:16+0100: > > > > I got two logical volume on my hard disk. > > > One is the swap > > > Other is the root > > > Both have the same passphrase. > > > How can I make grub ask only once ? > > > First, for the sake of clarity, I guess you are talking about LUKS > > filesystems on logical volumes? > > > > If so, I guess you're not dealing with grub but with initramfs scripts > > and then init asking for passphrases. Indeed, GRUB only asks the > > passphrase of a potential encrypted /boot to fetch its configuration in > > order to know what to boot. > > > > Now let's move to the initramfs + init passphrases prompts. Initramfs' > > job is to find the root partition and "pivot" on it, ie exec /sbin/init > > which is located on the root partition and which will mount the other > > filesystems, start services, … you know the drill. > > > > To find the root partition, initramfs has a lot of helper scripts, and > > if the root partition is encrypted, it also has access to cryptsetup > > binaries and passfifo. It therefore prompts for a password to recrypt > > your rootfs. > > > > Later on, init wants to make your swap available and therefore also > > needs to ask you for a passphrase. > > I am not clear exactly what is being asked here. Is the question > about Grub asking for passwords, or about the initrd asking > for passwords? Grub will ask before booting the kernel, the > initrd will ask after Grub invokes the kernel. > > I don't know about Grub asking for passwords, because I don't > encrypt boot partitions. But if the question is about the initrd > password prompt, then ... > Encrypting boot partitions would be hard - how would you get to the point of entering a passphrase ... this is why "encrypted LVM setup" _doesn't_ encrypt boot in the default settings from the Debian partitioner. > If we are talking about somehow using both LVM and LUKS > in combination, then decrypting a single LUKS volume that > has been partitioned into root and swap with LVM will only > require one password given once to the init started by the > initrd, when booting the system. > This is why the encrypted LVM setup in Debian has an unencrypted boot and swap is contained within the single encrypted volume, I think > Maybe providing the output of 'lsblk -f' would help to clarify > the situation, so that we can see what is on the disk. > Hope this helps - all best, as ever, Andy Cater
Re: LVM passphrase
On Tue, 28 Dec 2021 at 21:06, Pierre-Elliott Bécue wrote: > Polyna-Maude Racicot-Summerside wrote on 28/12/2021 > at 07:39:16+0100: > > I got two logical volume on my hard disk. > > One is the swap > > Other is the root > > Both have the same passphrase. > > How can I make grub ask only once ? > First, for the sake of clarity, I guess you are talking about LUKS > filesystems on logical volumes? > > If so, I guess you're not dealing with grub but with initramfs scripts > and then init asking for passphrases. Indeed, GRUB only asks the > passphrase of a potential encrypted /boot to fetch its configuration in > order to know what to boot. > > Now let's move to the initramfs + init passphrases prompts. Initramfs' > job is to find the root partition and "pivot" on it, ie exec /sbin/init > which is located on the root partition and which will mount the other > filesystems, start services, … you know the drill. > > To find the root partition, initramfs has a lot of helper scripts, and > if the root partition is encrypted, it also has access to cryptsetup > binaries and passfifo. It therefore prompts for a password to recrypt > your rootfs. > > Later on, init wants to make your swap available and therefore also > needs to ask you for a passphrase. I am not clear exactly what is being asked here. Is the question about Grub asking for passwords, or about the initrd asking for passwords? Grub will ask before booting the kernel, the initrd will ask after Grub invokes the kernel. I don't know about Grub asking for passwords, because I don't encrypt boot partitions. But if the question is about the initrd password prompt, then ... If we are talking about somehow using both LVM and LUKS in combination, then decrypting a single LUKS volume that has been partitioned into root and swap with LVM will only require one password given once to the init started by the initrd, when booting the system. Maybe providing the output of 'lsblk -f' would help to clarify the situation, so that we can see what is on the disk.
Re: LVM passphrase
Polyna-Maude Racicot-Summerside wrote on 28/12/2021 at 07:39:16+0100: > [[PGP Signed Part:No public key for 4B5CC29996718046 created at > 2021-12-28T07:39:16+0100 using RSA]] > Hi, > I got two logical volume on my hard disk. > One is the swap > Other is the root > Both have the same passphrase. > How can I make grub ask only once ? > Thanks Hi, First, for the sake of clarity, I guess you are talking about LUKS filesystems on logical volumes? If so, I guess you're not dealing with grub but with initramfs scripts and then init asking for passphrases. Indeed, GRUB only asks the passphrase of a potential encrypted /boot to fetch its configuration in order to know what to boot. Now let's move to the initramfs + init passphrases prompts. Initramfs' job is to find the root partition and "pivot" on it, ie exec /sbin/init which is located on the root partition and which will mount the other filesystems, start services, … you know the drill. To find the root partition, initramfs has a lot of helper scripts, and if the root partition is encrypted, it also has access to cryptsetup binaries and passfifo. It therefore prompts for a password to recrypt your rootfs. Later on, init wants to make your swap available and therefore also needs to ask you for a passphrase. Theoretically, if you use systemd >= 227, you don't get prompted for such passphrase, because the systemd's changelog for version 227 reads: >* The "ask-password" framework used to query for LUKS harddisk > passwords or SSL passwords during boot gained support for > caching passwords in the kernel keyring, if it is > available. This makes sure that the user only has to type in > a passphrase once if there are multiple objects to unlock > with the same one. Previously, such password caching was > available only when Plymouth was used; this moves the > caching logic into the systemd codebase itself. The > "systemd-ask-password" utility gained a new --keyname= > switch to control which kernel keyring key to use for > caching a password in. This functionality is also useful for > enabling display managers such as gdm to automatically > unlock the user's GNOME keyring if its passphrase, the > user's password and the harddisk password are the same, if > gdm-autologin is used. There could be reasons why this doesn't work, like the kernel keyring is not accessible, or you are relying on an init system not using this feature, … Anyway, in case it doesn't work you can use the good ol' /etc/crypttab file to add some automation. First step is to add another luks passphrase to your swap partition. Then, add this passphrase in a file available from your rootfs (eg /etc/luks.keys/swap.key) (mind using an editor that doesn't add a line return to the file, otherwise it won't work, you are technically allowed to use dd to generate a random binary passphrase into a file and then use this file to seed a passphrase to your partition), and then reference this file in /etc/crypttab for your swap partition (man crypttab for more intel on this). There are some examples here[0], but please mind to assert if it fits your usecase. Cheers, -- PEB [0] https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile signature.asc Description: PGP signature
Re: LVM passphrase
you can add a key to swap. and place this somewhere in the root partition. the key must known by /etc/crypttab, so it should ask only once. Am 28.12.21 um 07:39 schrieb Polyna-Maude Racicot-Summerside: > Hi, > I got two logical volume on my hard disk. > One is the swap > Other is the root > Both have the same passphrase. > How can I make grub ask only once ? > Thanks >