Unlocking several LUKS volume groups at boot with one passphrase
My latest Slackware install was installed to several LUKS volume groups. Everything unlocks and mounts properly at boot, but the issue is that despite using the same passphrase I must enter that passphrase for each volume group to be unlocked. Ideally, I'd like to enter the passphrase once and have all of these devices unlock without more prompts.
Excuse me if I overlooked prior posts on the topic, but the only advice I'm finding on LQ and elsewhere recommends /etc/crypttab, which I understand to be a feature of systemd distros only. So what is the Slackware Way to unlock multiple devices at boot using a single passphrase? I'm currently using elilo and would prefer to avoid grub if it can be avoided. |
You can use /etc/crypttab without a problem on Slackware, too.
|
Oh! That changes everything. (I wonder why there is no man page for crypttab(5)?)
Now if I understand the general approach with /etc/crypttab, the goal is to enter the passphrase for the root (/) device which will contain a keyfile which will be used to unlock the remaining drives in crypttab without prompting me. Do I understand correctly? This is somewhat different than my original goal of trying to temporarily cache the passphrase at boot but the result would be the same. |
I'm at work right now and cannot see my laptop's configuration, but you should be able to use a keyfile or a passphrase, what you like AFAIR. Not sure if Slackware current and 14.2 might differ with regard to that. Maybe someone else steps in, I will be able to post my stuff not before 18:00 CET unfortunately.
|
Just checked the source: Give a password in plain text or the name of a keyfile. Use the keyword "none" to interactively input a password. This seems to be the same for current and 14.2. See https://mirrors.slackware.com/slackw...s/scripts/rc.S :)
|
After mounting you main encrypted partition defined in /etc/crypttab, you can also mount other encrypted partitions in /etc/rc.d/rc.local using a key file. For example, if you have an encrypted partition in sdb1 and you want to mount in under /data:
# /etc/rc.d/rc.local cryptsetup --key-file=/home/user/cryptdata.key luksOpen /dev/sdb1 cryptdata mount /data # /etc/fstab /dev/mapper/cryptdata /data ext4 defaults,noauto 1 2 BTW I found that Slackware is the only distribution which handles the password prompt in /etc/crypttab correctly. I can enter a password after an hour and it will work. With other systems if I wait too long (one or two minutes) before entering the password, the system won't boot and I am dropped to a recovery shell. I suspect that this is due to systemd running other things in parallel, but I have no evidence. |
I really appreciate the helpful responses and pointers. The more I played with things the more I I realized my question was sparse with information. To make up for it I'll try to document what I ended up doing, since there are a few tricky points worth touching on for anyone who deals with an install as obtuse as mine.
For booting with elilo, I run mkinitrd this way Code:
mkinitrd -c -k 5.4.18 -u -L -m ext4:algif_skcipher \ With root and swap unlocked, now I can make life a little easier. I went with the common advice of generating a random key file and using it to add an additional key to the LUKS header of each of the devices I unlock with /etc/crypttab, e.g., /home and external hard drives. Code:
cryptvg2 UUID=<some long uuid> /root/lukskey So in the end, I save myself from needlessly typing a passphrase for each device added to crypttab but can't save myself from wastefully entering it a second time to unlock swap. So ends my small encrypted partition journey. |
All times are GMT -5. The time now is 07:03 AM. |