On Wed, 2020-10-14 at 23:50 +0200, Carlos E.R. wrote:

On 14/10/2020 23.42, tomas.kuchta.lists@gmail.com wrote:


I observe the same "annoying" behavior - having to enter disk encryption 
password two times - in grub and at swap activation during boot.
My install is default Leap 15.2 install with encrypted disk (default = 2 
encrypted partitions = btrfs file system + swap)

I have never questioned it as I thought that this is unavoidable in 
openSuSE - and assumed that the other distro's which do not need this 
are cutting some security corners for the sake of convenience.

Now that you remind me how annoying this actually is - I might get rid 
off swap partition altogether and setup swap file (with disabled COW) 
instead. It will cost performance, but it really bothers me to watch the 
laptop boot every time.


The trick I mentioned before solves or bypasses this issue for me.

I was not aware that systemd should cache it.

Storing swap key in encrypted root partition seems OK workaround - though not configurable at install.

Perhaps with different, even unknown, encryption password to avoid exposing swap+root partition key file in backups or multi user or compromised situations.

Though - me re-thinks - if this is suppose to work with single password entry out of the box - it may be worth digging in a little and submitting a bug report.

Thanks for suggesting the keyfile.

Tomas