Re: [oS-EN] Question on full disk encription - trying it, need more eyes

20 Aug 2023

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <39a95a12-7b82-24d9-802b-d6b2e6264346@Laicolasse.valinor>

El 2023-03-28 a las 15:01 +0200, cagsm escribió:
...
On Tue, Mar 28, 2023 at 12:42 PM Carlos E. R. <...> wrote:
...
new laptop here, and I decided to install Leap 15.4 with full disk
encryption, no LVM (a feature I wanted to have for years, so I'm happy).
It asks for the password twice (contrary to my customs, I'm using plymouth).
It asks once before grub loads. Well, ok, there is no separate /boot, so
it has to read "/" which is encrypted. Nice.
But after selecting the boot entry in grub, it asks again. Once, despite
being 3 partitions ("/", "/boot" and swap). Ok.
doesnt the official opensuse pages state about the situation about
double entry of passphrases. i have double passphrase questionaire as
well with 15.4 fresh install via the propsed partition setup on a
notebook. btrfs or something and the snapshot filesystem stuff and
all. not expert though
...
<https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice_in_Leap_and_Tumbleweed>
I finally took a chance to do this, but it is not working for me.

It is three partitions with the same password and the same key file.

Creation:

touch /.root.key
chmod 600 /.root.key
dd if=/dev/urandom of=/.root.key bs=1024 count=1

cryptsetup luksAddKey /dev/nvme0n1p3 /.root.key
cryptsetup luksAddKey /dev/nvme0n1p4 /.root.key
cryptsetup luksAddKey /dev/nvme0n1p2 /.root.key

Check:

Laicolasse:~ # ls -l /.root.key
- -rw------- 1 root root 1024 Aug 20 18:32 /.root.key
Laicolasse:~ #

Laicolasse:~ # lsblk --output NAME,KNAME,RA,RM,RO,PARTFLAGS,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,PTTYPE,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT > /tmp/p

NAME          KNAME      RA RM RO PARTFLAGS   SIZE TYPE  FSTYPE      LABEL     PARTLABEL PTTYPE MOUNTPOINT UUID                                 PARTUUID                             WWN                  MODEL                  ALIGNMENT
nvme0n1       nvme0n1   512  0  0           953.9G disk                                  gpt                                                                                         eui.8ce38e1000956753 KBG5AZNT1T02 LA KIOXIA         0
├─nvme0n1p1   nvme0n1p1 512  0  0             512M part  vfat        ESP                 gpt    /boot/efi  3EBE-58A3                            5a916363-34cb-4729-b825-8be7a4da7527 eui.8ce38e1000956753                                0
├─nvme0n1p2   nvme0n1p2 512  0  0             100G part  crypto_LUKS                     gpt               43662ac8-d98d-4b1a-a483-0f16e06b419c 28066fb6-919c-4922-a9a7-b0333af002ef eui.8ce38e1000956753                                0
│ └─cr-auto-1 dm-0      512  0  0             100G crypt ext4        Main                       /          858cc569-e2ae-4d12-adf6-3a06ade8281c                                                                                          0
├─nvme0n1p3   nvme0n1p3 512  0  0              40G part  crypto_LUKS                     gpt               d153e878-b32c-4a14-856e-cbc8c6101280 a87889fc-3ecf-43d3-9699-92967fbfe75f eui.8ce38e1000956753                                0
│ └─cr-auto-2 dm-2      512  0  0              40G crypt swap        Swap                       [SWAP]     55db7bff-8d71-4862-8e31-1c2a7fd52c9d                                                                                          0
├─nvme0n1p4   nvme0n1p4 512  0  0           716.8G part  crypto_LUKS                     gpt               253d3fd9-7f53-465a-85f9-1900b6b87a3c 08d2166d-aa90-46db-bc60-440c6005d3c3 eui.8ce38e1000956753                                0
│ └─cr-auto-3 dm-1      512  0  0           716.8G crypt xfs         Home                       /home      149fc869-e7e8-46c8-b6c9-2a773d49880e                                                                                          0
├─nvme0n1p5   nvme0n1p5 512  0  0              50G part  ext4        Beta                gpt    /Other     c2c74f2c-abc4-4f3b-b55e-1afc82dfeedf f6c33ec1-8abe-439a-9ce1-7f20be8914b5 eui.8ce38e1000956753                                0
└─nvme0n1p6   nvme0n1p6 512  0  0              25G part  swap        PlainSwap           gpt               198840e4-54cd-4d2d-83ac-b5009b01f5e0 b98447ab-603a-4369-a71d-c4e1273bc511 eui.8ce38e1000956753                                0

Laicolasse:~ # cat /etc/crypttab
# nvme0n1p4, Main
# nvme0n1p3 Swap
# nvme0n1p2 Home
cr-auto-3  UUID=253d3fd9-7f53-465a-85f9-1900b6b87a3c	/.root.key
cr-auto-2  UUID=d153e878-b32c-4a14-856e-cbc8c6101280	/.root.key
cr-auto-1  UUID=43662ac8-d98d-4b1a-a483-0f16e06b419c	/.root.key  x-initrd.attach
Laicolasse:~ #

The "x-initrd.attach" keyword was already there.

The one that I'm getting prompted to enter the password for is cr-auto-3,
swap partition. I tried adding x-initrd.attach to the second line, no
difference.

Laicolasse:~ # cat /etc/dracut.conf.d/99-root-key.conf
install_items+=" /.root.key "
Laicolasse:~ #

Laicolasse:~ # tail /etc/permissions.local

# All disk partitions encryption <https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice_in_Leap_and_Tumbleweed>
/boot/ root:root 750
Laicolasse:~ #

dracut -f

Also did mkinitrd.

Ideas?

If some data is missing, just ask.

Using Leap 15.5.

- --
Cheers
        Carlos E. R.

        (from openSUSE 15.5 (Laicolasse))
-----BEGIN PGP SIGNATURE-----

iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZOJXdBwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVRtEAnRNV226d1rk/4slt8mTZ
IehFNrp2AJ0eU12AiGIHh0IJVvMJUOf//l+miA==
=XjF7
-----END PGP SIGNATURE-----