Re: luks, crypttab: why 3 partition only 2 passphrases entered
https://www.mycause.com.au/page/183259/a-smile-will-change-a-day-love-that-changed-my-world From: Carles Pina i Estany Sent: Thursday, 2 August 2018 8:47 AM To: debian-user@lists.debian.org Subject: luks, crypttab: why 3 partition only 2 passphrases entered Hi, I have a Debian Stretch and recently I added a new cyphered partition. All works well but I don't understand why and it's bothering me. Setup: $ cat /etc/crypttab m2_root_crypt UUID=4e655198-a111-... none luks,discard m2_swap_crypt UUID=56485640-8a04-... none luks,discard ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard All three partitions have the same passphrase. On restart I'm asked for two passwords: m2_root_crypt m2_swap_crypt The question is: "Please unlock disk m2_root_crypt:" I expcted to write the password three times. My only theory is that after the root partition is decyphered it's also mounted and then systemd-ask-password is used somehow (how?) and --keyname= is used to "Configure a kernel keyring key name". I haven't tested or seen scripts that do this. I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock (where I can see the string "Please unlock disk") and I don't see anything like this happening. Maybe initrd lib/cryptsetup/askpass is doing it? A question would be: a) How to enter the passphrase only once? b) When/where (scripts) and how is the passphrase stored? This is just to know as the system is working perfectly. Thanks for reading all of this! -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On Wed, 8 Aug 2018 08:57:40 +0100 Jonathan Dowland wrote: > On Tue, Aug 07, 2018 at 11:10:39PM +0100, Carles Pina i Estany wrote: > >That was quite lot of fun! > > Good investigation and report, thanks, yes it was fun to read too! > > Some time ago I added a second encrypted disk to my setup, but it is a > removable one. I wanted to use the same encryption passphrase as my > primary drive, so I looked into the systemd/keyctl stuff. I tried to > override the timeout, because I plug in the external drive roughly once > a month. (It's my offsite backup drive) > > I figured out one hacky way to do that, but in the meantime a friend > suggested I just use a key file for the removeable drive instead, stored > on the internal encrypted drive. I considered my threat model, realised > that was fine, so abandoned my attempts to change the systemd/keyctl > timeout. I've also been doing this (storing the encryption keyfile for my external backup drives on my internal drive) for a while - I figure that since the external drives are just backups of the internal, anyone with access to the internal already has all the data on the external, so there's no real loss of security incurred by storing the key on the internal. Celejar
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On Tue, Aug 07, 2018 at 11:10:39PM +0100, Carles Pina i Estany wrote: That was quite lot of fun! Good investigation and report, thanks, yes it was fun to read too! Some time ago I added a second encrypted disk to my setup, but it is a removable one. I wanted to use the same encryption passphrase as my primary drive, so I looked into the systemd/keyctl stuff. I tried to override the timeout, because I plug in the external drive roughly once a month. (It's my offsite backup drive) I figured out one hacky way to do that, but in the meantime a friend suggested I just use a key file for the removeable drive instead, stored on the internal encrypted drive. I considered my threat model, realised that was fine, so abandoned my attempts to change the systemd/keyctl timeout. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄ Please do not CC me, I am subscribed to the list.
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/07/2018, Jonathan Dowland wrote: > On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote: > > > > And I'm now 99% sure that the culprit of all this confusion is... > > plymouth! It has a password caching facility and systemd seems to use it > > to get the cached password. > > Almost certainly, yes, although, if plymouth is passing the password > through to systemd, then it need not be caching it itself, as systemd > caches disk passwords for a short while (I think 5 minutes if I recall > correctly). See systemd-ask-password(1) for an introduction to the > architecture of systemd's password stuff. I did some further digging after sending my last message. The Debian initrd scripts use Plymouth (if installed, of course, else other methods... I had it installed) to ask the user for passwords and try to mount the root partition and minimum partitions. When Debian initrd scripts are finished they execute systemd which will request from plymouthd the cached passwords (using a local socket I think). They can be seen if adding: ply_trace("Carles password: %s", password); in the while (node != NULL) after 'ply_trace ("There are %d cached passwords",' (I should have had git for these changes :-) ) (in ply_boot_connection_on_request function). (also passing "debug" to the kernel, then journalct to see the plymouth debug messages). All the passwords are cached, even invalid ones: Plymouth doesn't know if they were valid or not and the Debian scripts doesn't invalidate them, not even sure if Plymouth supports invalidation of passwords :) Systemd requests all the cached passwords from plymouthd. Then systemd tries to mount the other partitions with the requested passwords, if it works it will add the passwords in the Kernel keyring and can it can be seen with: root@pinux:~# keyctl show Session Keyring 696839878 --alswrv 0 65534 keyring: _uid_ses.0 373345068 --alswrv 0 65534 \_ keyring: _uid.0 600178798 --alswrv 0 0 \_ user: cryptsetup root@pinux:~# (this can be tested in my system at any time with: systemctl stop systemd-cryptsetup@ssd_dades_crypt.service systemctl start systemd-cryptsetup@ssd_dades_crypt.service keyctl show or just stop, start (enter password), stop, start (password not needed because already in the keyring, I thnk that 5 minutes by default) That was quite lot of fun! Cheers, -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote: And I'm now 99% sure that the culprit of all this confusion is... plymouth! It has a password caching facility and systemd seems to use it to get the cached password. Almost certainly, yes, although, if plymouth is passing the password through to systemd, then it need not be caching it itself, as systemd caches disk passwords for a short while (I think 5 minutes if I recall correctly). See systemd-ask-password(1) for an introduction to the architecture of systemd's password stuff. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄ Please do not CC me, I am subscribed to the list.
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On Thu, Aug 02, 2018 at 01:00:15AM +, Matthew Crews wrote: On 8/1/18 3:47 PM, Carles Pina i Estany wrote: I have a Debian Stretch and recently I added a new cyphered partition. All works well but I don't understand why and it's bothering me. *snip* A question would be: a) How to enter the passphrase only once? b) When/where (scripts) and how is the passphrase stored? a) Short version: Use LVM to set up your partitions. snip Are you suggesting OP should re-format/reinstall their machine to figure this out? and you call that the *short* version?! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄ Please do not CC me, I am subscribed to the list.
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/04/2018, David Christensen wrote: > On 08/04/2018 02:54 PM, Carles Pina i Estany wrote: > > And I'm now 99% sure that the culprit of all this confusion is... > > plymouth! It has a password caching facility and systemd seems to use > > it to get the cached password. > > You seem to have found complexities above dm-crypt. I know very little > about systemd or the various desktop environments, so I'll wish you good > luck in pursuing answers to your questions. I've just confirmed it. In plymouth, file src/ply-boot-server.c, I've added the ply_trace line: ply_buffer_append_bytes (buffer, password, strlen (password) + 1); ply_trace("Carles password: %s", password); Then I can see in the Debug logs the previously entered passwords when systemd requests them (which then systemd uses them to decypher the partition and add the correct one in the Linux keyring, etc. etc.). Thanks for all the help and checks, -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On 08/04/2018 01:08 PM, Carles Pina i Estany wrote: root@pinux:~# dmsetup info /dev/dm-* Name: m2_root_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:1 Event number: 0 Major, minor: 254, 0 Number of targets: 1 UUID: CRYPT-LUKS1-4e655198a11147b3985b4622af7a2b0f-m2_root_crypt Name: m2_swap_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:2 Event number: 0 Major, minor: 254, 1 Number of targets: 1 UUID: CRYPT-LUKS1-564856408a04403191d46f1620cc2c9e-m2_swap_crypt Name: ssd_dades_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:1 Event number: 0 Major, minor: 254, 2 Number of targets: 1 UUID: CRYPT-LUKS1-8d1d855d17a74cf2b29486172e407e35-ssd_dades_crypt I can't see anything obviously wrong. Okay. It seems that you have three encrypted partitions, all set up correctly. Since the last emails here I've kept investigating. Quick overview if someone is interested here (and let me know if it's something else!). After booting keyctl has this: root@pinux:~# keyctl show Session Keyring 479651357 --alswrv 0 65534 keyring: _uid_ses.0 712333474 --alswrv 0 65534 \_ keyring: _uid.0 711077095 --alswrv 0 0 \_ user: cryptsetup root@pinux:~# See the cryptsetup line. This is what would make systemd able to mount/umount without asking for the passphrase and I can just boot and do: systemctl stop systemd-cryptsetup@ssd_dades_crypt.service systemctl start systemd-cryptsetup@ssd_dades_crypt.service if the cryptsetup line is still there (it last I think 2.5 minutes) systemd second line is mounting the partition without me entering the password. But the initial passwords are entered to initrd /lib/cryptsetup/askpass and using plymouth for the password "asking" backend (not systemd related) and actually if I boot with init=/bin/bash or break=init I would have the two (root and swap) partitions mounted but no "dades" partition mounted either anything in keyctl show. So still a mystery how this is added there: by who, etc. Any clues (or "you missed this obvious thing" are very welcomed! On 08/04/2018 02:54 PM, Carles Pina i Estany wrote: > And I'm now 99% sure that the culprit of all this confusion is... > plymouth! It has a password caching facility and systemd seems to use > it to get the cached password. You seem to have found complexities above dm-crypt. I know very little about systemd or the various desktop environments, so I'll wish you good luck in pursuing answers to your questions. You might try asking on the dm-crypt mailing list: https://www.saout.de/mailman/listinfo/dm-crypt David
Re: luks, crypttab: why 3 partition only 2 passphrases entered
And I'm now 99% sure that the culprit of all this confusion is... plymouth! It has a password caching facility and systemd seems to use it to get the cached password. -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/04/2018, David Christensen wrote: > On 08/02/2018 12:07 AM, Carles Pina i Estany wrote: > > On Aug/01/2018, David Christensen wrote: > > > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: > > > > I have a Debian Stretch and recently I added a new cyphered partition. > > > > All works well but I don't understand why and it's bothering me. > > > > > > > > Setup: > > > > $ cat /etc/crypttab > > > > m2_root_crypt UUID=4e655198-a111-... none luks,discard > > > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard > > > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard > > > > > > > > All three partitions have the same passphrase. > > > > > > > > On restart I'm asked for two passwords: > > > > m2_root_crypt > > > > m2_swap_crypt > ... > > > > The question is: > > > > "Please unlock disk m2_root_crypt:" > > > > > > > > I expcted to write the password three times. > > > > > > My guess is that you made a mistake and stepped on your encrypted > > > container > > > (ssd_dades_crypt?) when you created the new file system. Did you keep a > > > copy of your console session? Posting it would help. > > > > Sadly I didn't keep a copy of my console session. > > I got into the habit of cutting and pasting administrative console sessions > into a log file (and putting the log file into a version control system). > This technique has proven to be invaluable -- I recommend it to everyone. I take note, thanks! > > Commands and something extra: > > root@pinux:~# grep crypt /etc/fstab > > /dev/mapper/m2_root_crypt / ext4errors=remount-ro 0 > > 1 > > /dev/mapper/m2_swap_crypt noneswapsw 0 > > 0 > > /dev/mapper/ssd_dades_crypt /home/carles/dades ext4 > > errors=remount-ro 0 1 > > Okay. > > > > root@pinux:~# ls -l /dev/mapper/ > > total 0 > > crw--- 1 root root 10, 236 ago 1 23:34 control > > lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_root_crypt -> ../dm-0 > > lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_swap_crypt -> ../dm-1 > > lrwxrwxrwx 1 root root 7 ago 1 23:34 ssd_dades_crypt -> ../dm-2 > > Okay. > > > > root@pinux:~# mount | grep dades > > /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 > > (rw,relatime,errors=remount-ro,data=ordered) > > Okay. > > > Please run the following command to learn more about the device mapper > nodes: > > # dmsetup info /dev/dm-* root@pinux:~# dmsetup info /dev/dm-* Name: m2_root_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:1 Event number: 0 Major, minor: 254, 0 Number of targets: 1 UUID: CRYPT-LUKS1-4e655198a11147b3985b4622af7a2b0f-m2_root_crypt Name: m2_swap_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:2 Event number: 0 Major, minor: 254, 1 Number of targets: 1 UUID: CRYPT-LUKS1-564856408a04403191d46f1620cc2c9e-m2_swap_crypt Name: ssd_dades_crypt State: ACTIVE Read Ahead:256 Tables present:LIVE Open count:1 Event number: 0 Major, minor: 254, 2 Number of targets: 1 UUID: CRYPT-LUKS1-8d1d855d17a74cf2b29486172e407e35-ssd_dades_crypt I can't see anything obviously wrong. Since the last emails here I've kept investigating. Quick overview if someone is interested here (and let me know if it's something else!). After booting keyctl has this: root@pinux:~# keyctl show Session Keyring 479651357 --alswrv 0 65534 keyring: _uid_ses.0 712333474 --alswrv 0 65534 \_ keyring: _uid.0 711077095 --alswrv 0 0 \_ user: cryptsetup root@pinux:~# See the cryptsetup line. This is what would make systemd able to mount/umount without asking for the passphrase and I can just boot and do: systemctl stop systemd-cryptsetup@ssd_dades_crypt.service systemctl start systemd-cryptsetup@ssd_dades_crypt.service if the cryptsetup line is still there (it last I think 2.5 minutes) systemd second line is mounting the partition without me entering the password. But the initial passwords are entered to initrd /lib/cryptsetup/askpass and using plymouth for the password "asking" backend (not systemd related) and actually if I boot with init=/bin/bash or break=init I would have the two (root and swap) partitions mounted but no "dades" partition mounted either anything in keyctl show. So still a mystery how this is added there: by who, etc. Any clues (or "you missed this obvious thing" are very welcomed! Cheers, -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On 08/02/2018 12:07 AM, Carles Pina i Estany wrote: On Aug/01/2018, David Christensen wrote: On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: I have a Debian Stretch and recently I added a new cyphered partition. All works well but I don't understand why and it's bothering me. Setup: $ cat /etc/crypttab m2_root_crypt UUID=4e655198-a111-... none luks,discard m2_swap_crypt UUID=56485640-8a04-... none luks,discard ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard All three partitions have the same passphrase. On restart I'm asked for two passwords: m2_root_crypt m2_swap_crypt ... The question is: "Please unlock disk m2_root_crypt:" I expcted to write the password three times. My guess is that you made a mistake and stepped on your encrypted container (ssd_dades_crypt?) when you created the new file system. Did you keep a copy of your console session? Posting it would help. Sadly I didn't keep a copy of my console session. I got into the habit of cutting and pasting administrative console sessions into a log file (and putting the log file into a version control system). This technique has proven to be invaluable -- I recommend it to everyone. Commands and something extra: root@pinux:~# grep crypt /etc/fstab /dev/mapper/m2_root_crypt / ext4errors=remount-ro 0 1 /dev/mapper/m2_swap_crypt noneswapsw 0 0 /dev/mapper/ssd_dades_crypt /home/carles/dades ext4 errors=remount-ro 0 1 Okay. root@pinux:~# ls -l /dev/mapper/ total 0 crw--- 1 root root 10, 236 ago 1 23:34 control lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_root_crypt -> ../dm-0 lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_swap_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 ago 1 23:34 ssd_dades_crypt -> ../dm-2 Okay. root@pinux:~# mount | grep dades /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 (rw,relatime,errors=remount-ro,data=ordered) Okay. Please run the following command to learn more about the device mapper nodes: # dmsetup info /dev/dm-* David
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Carles Pina i Estany wrote: > Any more ideas please let me know I stopped using systemd as init process - perhaps you try to boot with init as proc 1 and see if you are asked 2 or 3 times, my bet would be 3 times. regards
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/01/2018, David Christensen wrote: > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: > > The question is: > > "Please unlock disk m2_root_crypt:" > > > > I expcted to write the password three times. > > Given your crypttab, above, I agree that you should have to enter three > passphrases. I've been investigating and I'm still puzzled. The findings can be resumed: a) If I boot the kernel with break=premount and then execute /scripts/local-top/cryptroot: I need to enter the passphrase three times as expected instead of two. Last one I see the prompt a bit different in bold (probably comes from systemd?). b) If I boot the kernel with the parameter "debug" and then I execute journalctl I can see: """ ago 02 23:30:05 pinux systemd-cryptsetup[498]: Added key to keyring as 604875905. """ And if I execute keyctl show: root@pinux:~# keyctl show Session Keyring 935647640 --alswrv 0 65534 keyring: _uid_ses.0 575581655 --alswrv 0 65534 \_ keyring: _uid.0 604875905 --alswrv 0 0 \_ user: cryptsetup root@pinux:~# If I wait a bit (more than 90 seconds was the default timeout?): root@pinux:~# keyctl show Session Keyring 935647640 --alswrv 0 65534 keyring: _uid_ses.0 575581655 --alswrv 0 65534 \_ keyring: _uid.0 root@pinux:~# But I thought that keyrings were only used by decrypt_keyctl in /etc/crypttab? where is this added? My initrd doesn't have keyctl installed. All of this might be a red herring... Any more ideas please let me know, -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/02/2018, Matthew Crews wrote: > On 8/1/18 3:47 PM, Carles Pina i Estany wrote: > > > > Hi, > > > > I have a Debian Stretch and recently I added a new cyphered partition. > > All works well but I don't understand why and it's bothering me. > > *snip* > > > A question would be: > > a) How to enter the passphrase only once? > > b) When/where (scripts) and how is the passphrase stored? > > a) Short version: > > Use LVM to set up your partitions. This can be done in the installer. > Have your overall hierarchy look like this: I might do it another time - is that I'm more familiar (for when things go wrong, and only because I have more experience) with usual partition and not LVM and serve my purpose. As said, I might use LVM another time :-) I was asking "how to enter the passphrase only once" only to understand why I'm entering it twice and not three times :-) [...] > b) Read the manpage for cryptsetup. It has everything you need to > understand how LUKS encryption works. When I read it and also the initrd scripts I didn't understand why I need to type it twice only when I was expecting three times... if I need to read again some specific section let me know. I'll have another look just in case. Thanks for the other information! It might be handy at some point! :-) -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157
Re: luks, crypttab: why 3 partition only 2 passphrases entered
Hi, On Aug/01/2018, David Christensen wrote: > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: > > Hi, > > Hello. :-) > > > > I have a Debian Stretch and recently I added a new cyphered partition. > > All works well but I don't understand why and it's bothering me. > > > > Setup: > > $ cat /etc/crypttab > > m2_root_crypt UUID=4e655198-a111-... none luks,discard > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard > > > > All three partitions have the same passphrase. > > > > On restart I'm asked for two passwords: > > m2_root_crypt > > m2_swap_crypt > > You should have set up your encrypted swap partition to use a random > passphrase every boot. (A side benefit is that you never have to enter a > passphrase for swap.) Well, I thought "I might do a later day" and "I can test hibernation this way". I'm fine entering the password 3 times if needed, I don't restart that often at all I use suspend. > The Debian Installer for Stretch put the following line in my crypttab: > > sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap thanks I'll test it some day for fun :-) > I changed the source device field to point to a path under > /dev/disk/by-id so that my swap partition is found even if the > /dev/sd* entries change (which can happen when I move or add disks): > > sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_**-part2 > /dev/urandom cipher=aes-xts-plain64,size=256,swap > > > > The question is: > > "Please unlock disk m2_root_crypt:" > > > > I expcted to write the password three times. > > Given your crypttab, above, I agree that you should have to enter three > passphrases. this is what I'd like to know: why I need to enter the passphrase twice and not three times. > > My only theory is that after the root partition is decyphered it's also > > mounted and then systemd-ask-password is used somehow (how?) and > > --keyname= is used to "Configure a kernel keyring key name". I haven't > > tested or seen scripts that do this. > > > > I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock > > (where I can see the string "Please unlock disk") and I don't see > > anything like this happening. Maybe initrd lib/cryptsetup/askpass is > > doing it? > > > > A question would be: > > a) How to enter the passphrase only once? > > b) When/where (scripts) and how is the passphrase stored? > > > > This is just to know as the system is working perfectly. > > > > Thanks for reading all of this! > > My guess is that you made a mistake and stepped on your encrypted container > (ssd_dades_crypt?) when you created the new file system. Did you keep a > copy of your console session? Posting it would help. Sadly I didn't keep a copy of my console session. > Please run the following commands and post your console session (substitute > DIR with the directory where your new file system is mounted): > > # grep crypt /etc/fstab > > # ll /dev/mapper > > # mount | grep DIR Commands and something extra: root@pinux:~# grep crypt /etc/fstab /dev/mapper/m2_root_crypt / ext4errors=remount-ro 0 1 /dev/mapper/m2_swap_crypt noneswapsw 0 0 /dev/mapper/ssd_dades_crypt /home/carles/dades ext4 errors=remount-ro 0 1 root@pinux:~# ls -l /dev/mapper/ total 0 crw--- 1 root root 10, 236 ago 1 23:34 control lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_root_crypt -> ../dm-0 lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_swap_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 ago 1 23:34 ssd_dades_crypt -> ../dm-2 root@pinux:~# mount | grep DIR root@pinux:~# mount | grep dades /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 (rw,relatime,errors=remount-ro,data=ordered) root@pinux:~# free -m totalusedfree shared buff/cache available Mem: 11711 9698622 1422119 10286 Swap: 12285 0 12285 root@pinux:~# cat /proc/swaps FilenameTypeSizeUsedPriority /dev/dm-1 partition 125808600 -1 root@pinux:~# lsblk NAMEMAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:00 477G 0 disk └─sda18:10 477G 0 part └─ssd_dades_crypt 254:20 477G 0 crypt /home/carles/dades sdb 8:16 0 477G 0 disk ├─sdb18:17 0 190M 0 part /boot ├─sdb28:18 0 1K 0 part ├─sdb58:21 012G 0 part │ └─m2_swap_crypt 254:1012G 0 crypt [SWAP] └─sdb68:22 0 464,8G 0 part └─m2_root_crypt 254:00 464,8G 0 crypt / As said, I just want to understand why I'm typing it twice and not three times :) Thanks for any ideas! -- Carles Pina i Estany Web: h
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: Hi, Hello. :-) I have a Debian Stretch and recently I added a new cyphered partition. All works well but I don't understand why and it's bothering me. Setup: $ cat /etc/crypttab m2_root_crypt UUID=4e655198-a111-... none luks,discard m2_swap_crypt UUID=56485640-8a04-... none luks,discard ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard All three partitions have the same passphrase. On restart I'm asked for two passwords: m2_root_crypt m2_swap_crypt You should have set up your encrypted swap partition to use a random passphrase every boot. (A side benefit is that you never have to enter a passphrase for swap.) The Debian Installer for Stretch put the following line in my crypttab: sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap I changed the source device field to point to a path under /dev/disk/by-id so that my swap partition is found even if the /dev/sd* entries change (which can happen when I move or add disks): sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_**-part2 /dev/urandom cipher=aes-xts-plain64,size=256,swap The question is: "Please unlock disk m2_root_crypt:" I expcted to write the password three times. Given your crypttab, above, I agree that you should have to enter three passphrases. My only theory is that after the root partition is decyphered it's also mounted and then systemd-ask-password is used somehow (how?) and --keyname= is used to "Configure a kernel keyring key name". I haven't tested or seen scripts that do this. I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock (where I can see the string "Please unlock disk") and I don't see anything like this happening. Maybe initrd lib/cryptsetup/askpass is doing it? A question would be: a) How to enter the passphrase only once? b) When/where (scripts) and how is the passphrase stored? This is just to know as the system is working perfectly. Thanks for reading all of this! My guess is that you made a mistake and stepped on your encrypted container (ssd_dades_crypt?) when you created the new file system. Did you keep a copy of your console session? Posting it would help. Please run the following commands and post your console session (substitute DIR with the directory where your new file system is mounted): # grep crypt /etc/fstab # ll /dev/mapper # mount | grep DIR David
Re: luks, crypttab: why 3 partition only 2 passphrases entered
On 8/1/18 3:47 PM, Carles Pina i Estany wrote: > > Hi, > > I have a Debian Stretch and recently I added a new cyphered partition. > All works well but I don't understand why and it's bothering me. *snip* > A question would be: > a) How to enter the passphrase only once? > b) When/where (scripts) and how is the passphrase stored? a) Short version: Use LVM to set up your partitions. This can be done in the installer. Have your overall hierarchy look like this: Raw disk (/dev/sda) | LUKS partition (/dev/sdaX) + /boot partition (likely /dev/sda1) | LVM Physical Volume (/dev/LVM) | LVM Logical Volumes (/dev/LVM/root mounted as /, and /dev/LVM/swap mounted as /swap) Long version: Here is an example of how an encrypted LVM partition can look. We will look at how I have it set up. First, output of lsblk: matthew@matt-tower:~$ lsblk /dev/sda NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:00 465.8G 0 disk ├─sda1 8:10 953.7M 0 part /boot ├─sda2 8:20 1K 0 part └─sda5 8:50 464.8G 0 part └─sda5_crypt254:00 464.8G 0 crypt ├─root--swap-root 254:10 447G 0 lvm / └─root--swap-swap 254:20 17.8G 0 lvm [SWAP] sda1 is /boot (necessary as encrypted /boot is not really possible right now), sda2 is an unused 1K partition (necessary due to partitioning oddities, don't worry about it), and sda5 is my actual encrypted partition. sda5 then has a LUKS encrypted partition called sda5_crypt. Within the LUKS partition, is a LVM group called root-swap, which we can see when we run pvdisplay:: matthew@matt-tower:~$ sudo pvdisplay --- Physical volume --- PV Name /dev/mapper/sda5_crypt VG Name root-swap PV Size 464.83 GiB / not usable 2.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 118995 Free PE 0 Allocated PE 118995 PV UUID XX------XX Within this LVM group are two sub partitions, which act as my /root and /swap partitions. matthew@matt-tower:~$ sudo lvdisplay --- Logical volume --- LV Path/dev/root-swap/root LV Nameroot VG Nameroot-swap LV UUIDXX------XX LV Write Accessread/write LV Creation host, time matt-tower, 2018-06-25 10:24:13 -0700 LV Status available # open 1 LV Size447.04 GiB Current LE 114441 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 254:1 --- Logical volume --- LV Path/dev/root-swap/swap LV Nameswap VG Nameroot-swap LV UUIDXX------XX LV Write Accessread/write LV Creation host, time matt-tower, 2018-06-25 10:24:19 -0700 LV Status available # open 2 LV Size17.79 GiB Current LE 4554 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 254:2 Lastly, the output of my /etc/crypttab and /etc/fstab matthew@matt-tower:~$ cat /etc/crypttab sda5_crypt UUID=ea2034e1-c550-466c-b9a4-61c40f0891b6 none luks matthew@matt-tower:~$ cat /etc/fstab # /dev/mapper/root--swap-root / ext4 discard,errors=remount-ro 0 1 # /boot was on /dev/sda1 during installation UUID=5c24b6a3-f1ec-42b7-9d03-251295853167 /boot ext2 noatime,nodiratime 0 2 /dev/mapper/root--swap-swap noneswapsw 0 0 Here is the overall hierarchy: Raw disk (/dev/sda) | LUKS partition (/dev/sda5) | LVM Physical Volume (/dev/root-swap) | LVM Logical Volumes (/dev/root-swap/root mounted as /, and /dev/root-swap/swap mounted as /swap) At boot time, /boot is automatically mounted, and when it is time to mount /, it will ask for the LUKS partition password. Once unlocked, it will mount the LVM physical volume, then subsequently mount both LVM logical volumes in one swoop. One password for two logical partitions. b) Read the manpage for cryptsetup. It has everything you need to understand how LUKS encryption works. Cheers, -Matt
luks, crypttab: why 3 partition only 2 passphrases entered
Hi, I have a Debian Stretch and recently I added a new cyphered partition. All works well but I don't understand why and it's bothering me. Setup: $ cat /etc/crypttab m2_root_crypt UUID=4e655198-a111-... none luks,discard m2_swap_crypt UUID=56485640-8a04-... none luks,discard ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard All three partitions have the same passphrase. On restart I'm asked for two passwords: m2_root_crypt m2_swap_crypt The question is: "Please unlock disk m2_root_crypt:" I expcted to write the password three times. My only theory is that after the root partition is decyphered it's also mounted and then systemd-ask-password is used somehow (how?) and --keyname= is used to "Configure a kernel keyring key name". I haven't tested or seen scripts that do this. I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock (where I can see the string "Please unlock disk") and I don't see anything like this happening. Maybe initrd lib/cryptsetup/askpass is doing it? A question would be: a) How to enter the passphrase only once? b) When/where (scripts) and how is the passphrase stored? This is just to know as the system is working perfectly. Thanks for reading all of this! -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157