Hi,
On Aug/01/2018, David Christensen wrote: > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote: > > Hi, > > Hello. :-) > > > > I have a Debian Stretch and recently I added a new cyphered partition. > > All works well but I don't understand why and it's bothering me. > > > > Setup: > > $ cat /etc/crypttab > > m2_root_crypt UUID=4e655198-a111-... none luks,discard > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard > > > > All three partitions have the same passphrase. > > > > On restart I'm asked for two passwords: > > m2_root_crypt > > m2_swap_crypt > > You should have set up your encrypted swap partition to use a random > passphrase every boot. (A side benefit is that you never have to enter a > passphrase for swap.) Well, I thought "I might do a later day" and "I can test hibernation this way". I'm fine entering the password 3 times if needed, I don't restart that often at all I use suspend. > The Debian Installer for Stretch put the following line in my crypttab: > > sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap thanks I'll test it some day for fun :-) > I changed the source device field to point to a path under > /dev/disk/by-id so that my swap partition is found even if the > /dev/sd* entries change (which can happen when I move or add disks): > > sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_******************-part2 > /dev/urandom cipher=aes-xts-plain64,size=256,swap > > > > The question is: > > "Please unlock disk m2_root_crypt:" > > > > I expcted to write the password three times. > > Given your crypttab, above, I agree that you should have to enter three > passphrases. this is what I'd like to know: why I need to enter the passphrase twice and not three times. > > My only theory is that after the root partition is decyphered it's also > > mounted and then systemd-ask-password is used somehow (how?) and > > --keyname= is used to "Configure a kernel keyring key name". I haven't > > tested or seen scripts that do this. > > > > I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock > > (where I can see the string "Please unlock disk") and I don't see > > anything like this happening. Maybe initrd lib/cryptsetup/askpass is > > doing it? > > > > A question would be: > > a) How to enter the passphrase only once? > > b) When/where (scripts) and how is the passphrase stored? > > > > This is just to know as the system is working perfectly. > > > > Thanks for reading all of this! > > My guess is that you made a mistake and stepped on your encrypted container > (ssd_dades_crypt?) when you created the new file system. Did you keep a > copy of your console session? Posting it would help. Sadly I didn't keep a copy of my console session. > Please run the following commands and post your console session (substitute > DIR with the directory where your new file system is mounted): > > # grep crypt /etc/fstab > > # ll /dev/mapper > > # mount | grep DIR Commands and something extra: root@pinux:~# grep crypt /etc/fstab /dev/mapper/m2_root_crypt / ext4 errors=remount-ro 0 1 /dev/mapper/m2_swap_crypt none swap sw 0 0 /dev/mapper/ssd_dades_crypt /home/carles/dades ext4 errors=remount-ro 0 1 root@pinux:~# ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 236 ago 1 23:34 control lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_root_crypt -> ../dm-0 lrwxrwxrwx 1 root root 7 ago 1 23:34 m2_swap_crypt -> ../dm-1 lrwxrwxrwx 1 root root 7 ago 1 23:34 ssd_dades_crypt -> ../dm-2 root@pinux:~# mount | grep DIR root@pinux:~# mount | grep dades /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 (rw,relatime,errors=remount-ro,data=ordered) root@pinux:~# free -m total used free shared buff/cache available Mem: 11711 969 8622 142 2119 10286 Swap: 12285 0 12285 root@pinux:~# cat /proc/swaps Filename Type Size Used Priority /dev/dm-1 partition 12580860 0 -1 root@pinux:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 477G 0 disk └─sda1 8:1 0 477G 0 part └─ssd_dades_crypt 254:2 0 477G 0 crypt /home/carles/dades sdb 8:16 0 477G 0 disk ├─sdb1 8:17 0 190M 0 part /boot ├─sdb2 8:18 0 1K 0 part ├─sdb5 8:21 0 12G 0 part │ └─m2_swap_crypt 254:1 0 12G 0 crypt [SWAP] └─sdb6 8:22 0 464,8G 0 part └─m2_root_crypt 254:0 0 464,8G 0 crypt / As said, I just want to understand why I'm typing it twice and not three times :) Thanks for any ideas! -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157