Debian 10: two encrypted disks with one password - entered only once?
 

Hi folks

I installed buster on one encrypted drive using the built in installer, and later added another one using:
- cryptsetup and
- mount
and by editing
- /etc/crypttab and
- /etc/fstab

I gave both encrypted drives the same passphrase

Buster's installation guide 7.2 says:
"you will be asked to enter the passphrase for each of these volumes during the boot"

So i'd expect to enter the passphrase twice, and indeed, this stackexchange item says how you have to work around things to only have to enter the password once.

But what's happening is that I only have to enter the password once with no work-around required.

At risk of sounding like complaining that this is too good to be true, does anyone know how this is possible? Have I done something wrong? Has Buster been improved in some undocumented way / documented somewhere else? I've done quite a bit of reading around this and can find nothing to explain.

Thanks.

Maybe the system is set up to try decrypt_keyctl first, ootb?

Well maybe, maybe.
looking at https://gitlab.com/cryptsetup/crypts...0-ReleaseNotes starting line 347 I can see what looks like saying that a passphrase can be stored in the kernel keyring if a cryptsetup token is set first. But is it? I didn't. And if it is set automatically, perhaps by the installer, does it work across drives? Manpage for cryptsetup echoes that tokens work across all keyslots but doesn't say if that means all slots per drive, or all across all drives. I'm still none the wiser..

You could show us the files in question.
You could read the documentation and see what it says about built-in defaults or some such.

I know that systems in the Red Hat family have, for years, tried any manually entered passphrase against all devices for which /etc/crypttab specifies a manual passphrase. That's actually pretty important since the passphrase dialog popup(s) during boot somehow neglect to mention the device for which a passphrase is being demanded.