Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Dale Forsyth]

https://www.mycause.com.au/page/183259/a-smile-will-change-a-day-love-that-changed-my-world

From: Carles Pina i Estany 
Sent: Thursday, 2 August 2018 8:47 AM
To: debian-user@lists.debian.org
Subject: luks, crypttab: why 3 partition only 2 passphrases entered


Hi,

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt

The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.

My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!

--
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Celejar]

On Wed, 8 Aug 2018 08:57:40 +0100
Jonathan Dowland  wrote:

> On Tue, Aug 07, 2018 at 11:10:39PM +0100, Carles Pina i Estany wrote:
> >That was quite lot of fun!
> 
> Good investigation and report, thanks, yes it was fun to read too!
> 
> Some time ago I added a second encrypted disk to my setup, but it is a
> removable one. I wanted to use the same encryption passphrase as my
> primary drive, so I looked into the systemd/keyctl stuff. I tried to
> override the timeout, because I plug in the external drive roughly once
> a month. (It's my offsite backup drive)
> 
> I figured out one hacky way to do that, but in the meantime a friend
> suggested I just use a key file for the removeable drive instead, stored
> on the internal encrypted drive. I considered my threat model, realised
> that was fine, so abandoned my attempts to change the systemd/keyctl
> timeout.

I've also been doing this (storing the encryption keyfile for my
external backup drives on my internal drive) for a while - I figure that
since the external drives are just backups of the internal, anyone with
access to the internal already has all the data on the external, so
there's no real loss of security incurred by storing the key on the
internal.

Celejar

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Jonathan Dowland]

On Tue, Aug 07, 2018 at 11:10:39PM +0100, Carles Pina i Estany wrote:

That was quite lot of fun!


Good investigation and report, thanks, yes it was fun to read too!

Some time ago I added a second encrypted disk to my setup, but it is a
removable one. I wanted to use the same encryption passphrase as my
primary drive, so I looked into the systemd/keyctl stuff. I tried to
override the timeout, because I plug in the external drive roughly once
a month. (It's my offsite backup drive)

I figured out one hacky way to do that, but in the meantime a friend
suggested I just use a key file for the removeable drive instead, stored
on the internal encrypted drive. I considered my threat model, realised
that was fine, so abandoned my attempts to change the systemd/keyctl
timeout.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/07/2018, Jonathan Dowland wrote:
> On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote:
> > 
> > And I'm now 99% sure that the culprit of all this confusion is...
> > plymouth! It has a password caching facility and systemd seems to use it
> > to get the cached password.
> 
> Almost certainly, yes, although, if plymouth is passing the password
> through to systemd, then it need not be caching it itself, as systemd
> caches disk passwords for a short while (I think 5 minutes if I recall
> correctly). See systemd-ask-password(1) for an introduction to the
> architecture of systemd's password stuff.

I did some further digging after sending my last message.

The Debian initrd scripts use Plymouth (if installed, of course, else
other methods... I had it installed) to ask the user for passwords and
try to mount the root partition and minimum partitions.

When Debian initrd scripts are finished they execute systemd which will
request from plymouthd the cached passwords (using a local socket I
think). They can be seen if adding: ply_trace("Carles password: %s",
password); in the while (node != NULL) after 'ply_trace ("There are %d
cached passwords",' (I should have had git for these changes :-) ) (in
ply_boot_connection_on_request function).

(also passing "debug" to the kernel, then journalct to see the plymouth
debug messages).

All the passwords are cached, even invalid ones: Plymouth doesn't know
if they were valid or not and the Debian scripts doesn't invalidate
them, not even sure if Plymouth supports invalidation of passwords :)

Systemd requests all the cached passwords from plymouthd.

Then systemd tries to mount the other partitions with the requested
passwords, if it works it will add the passwords in the Kernel keyring
and can it can be seen with:
root@pinux:~# keyctl show
Session Keyring
 696839878 --alswrv  0 65534  keyring: _uid_ses.0
 373345068 --alswrv  0 65534   \_ keyring: _uid.0
 600178798 --alswrv  0 0   \_ user: cryptsetup
root@pinux:~# 

(this can be tested in my system at any time with:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service
keyctl show

or just stop, start (enter password), stop, start (password not needed
because already in the keyring, I thnk that 5 minutes by default)

That was quite lot of fun!

Cheers,

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Jonathan Dowland]

On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote:


And I'm now 99% sure that the culprit of all this confusion is...
plymouth! It has a password caching facility and systemd seems to use it
to get the cached password.


Almost certainly, yes, although, if plymouth is passing the password
through to systemd, then it need not be caching it itself, as systemd
caches disk passwords for a short while (I think 5 minutes if I recall
correctly). See systemd-ask-password(1) for an introduction to the
architecture of systemd's password stuff.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Jonathan Dowland]

On Thu, Aug 02, 2018 at 01:00:15AM +, Matthew Crews wrote:

On 8/1/18 3:47 PM, Carles Pina i Estany wrote:

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.


*snip*


A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?


a) Short version:

Use LVM to set up your partitions.

snip

Are you suggesting OP should re-format/reinstall their machine to figure
this out? and you call that the *short* version?!


--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/04/2018, David Christensen wrote:

> On 08/04/2018 02:54 PM, Carles Pina i Estany wrote:
> > And I'm now 99% sure that the culprit of all this confusion is...
> > plymouth! It has a password caching facility and systemd seems to use
> > it to get the cached password.
> 
> You seem to have found complexities above dm-crypt.  I know very little
> about systemd or the various desktop environments, so I'll wish you good
> luck in pursuing answers to your questions.

I've just confirmed it. In plymouth, file src/ply-boot-server.c, I've
added the ply_trace line:
ply_buffer_append_bytes (buffer,
 password,
 strlen (password) + 1);
ply_trace("Carles password: %s", password);

Then I can see in the Debug logs the previously entered passwords when systemd
requests them (which then systemd uses them to decypher the partition and add
the correct one in the Linux keyring, etc. etc.).

Thanks for all the help and checks,

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[David Christensen]

On 08/04/2018 01:08 PM, Carles Pina i Estany wrote:

root@pinux:~# dmsetup info /dev/dm-*
Name:  m2_root_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:1
Event number:  0
Major, minor:  254, 0
Number of targets: 1
UUID: CRYPT-LUKS1-4e655198a11147b3985b4622af7a2b0f-m2_root_crypt

Name:  m2_swap_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:2
Event number:  0
Major, minor:  254, 1
Number of targets: 1
UUID: CRYPT-LUKS1-564856408a04403191d46f1620cc2c9e-m2_swap_crypt

Name:  ssd_dades_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:1
Event number:  0
Major, minor:  254, 2
Number of targets: 1
UUID: CRYPT-LUKS1-8d1d855d17a74cf2b29486172e407e35-ssd_dades_crypt

I can't see anything obviously wrong.


Okay.  It seems that you have three encrypted partitions, all set up 
correctly.




Since the last emails here I've kept investigating. Quick overview if someone 
is interested here (and let me know if it's something else!).
After booting keyctl has this:

root@pinux:~# keyctl show
Session Keyring
  479651357 --alswrv  0 65534  keyring: _uid_ses.0
  712333474 --alswrv  0 65534   \_ keyring: _uid.0
  711077095 --alswrv  0 0   \_ user: cryptsetup
root@pinux:~#

See the cryptsetup line. This is what would make systemd able to mount/umount 
without asking for the passphrase and I can just boot and do:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service

if the cryptsetup line is still there (it last I think 2.5 minutes) systemd 
second line is mounting the partition without me entering the password.

But the initial passwords are entered to initrd /lib/cryptsetup/askpass and
using plymouth for the password "asking" backend (not systemd related) and
actually if I boot with init=/bin/bash or break=init I would have the two (root
and swap) partitions mounted but no "dades" partition mounted either anything
in keyctl show.

So still a mystery how this is added there: by who, etc.

Any clues (or "you missed this obvious thing" are very welcomed!


On 08/04/2018 02:54 PM, Carles Pina i Estany wrote:
> And I'm now 99% sure that the culprit of all this confusion is...
> plymouth! It has a password caching facility and systemd seems to use
> it to get the cached password.

You seem to have found complexities above dm-crypt.  I know very little 
about systemd or the various desktop environments, so I'll wish you good 
luck in pursuing answers to your questions.



You might try asking on the dm-crypt mailing list:

https://www.saout.de/mailman/listinfo/dm-crypt


David

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

And I'm now 99% sure that the culprit of all this confusion is...
plymouth! It has a password caching facility and systemd seems to use it
to get the cached password.

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/04/2018, David Christensen wrote:
> On 08/02/2018 12:07 AM, Carles Pina i Estany wrote:
> > On Aug/01/2018, David Christensen wrote:
> > > On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:
> > > > I have a Debian Stretch and recently I added a new cyphered partition.
> > > > All works well but I don't understand why and it's bothering me.
> > > > 
> > > > Setup:
> > > > $ cat /etc/crypttab
> > > > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> > > > 
> > > > All three partitions have the same passphrase.
> > > > 
> > > > On restart I'm asked for two passwords:
> > > > m2_root_crypt
> > > > m2_swap_crypt
> ...
> > > > The question is:
> > > > "Please unlock disk m2_root_crypt:"
> > > > 
> > > > I expcted to write the password three times.
> > > 
> > > My guess is that you made a mistake and stepped on your encrypted 
> > > container
> > > (ssd_dades_crypt?) when you created the new file system.  Did you keep a
> > > copy of your console session?  Posting it would help.
> > 
> > Sadly I didn't keep a copy of my console session.
> 
> I got into the habit of cutting and pasting administrative console sessions
> into a log file (and putting the log file into a version control system).
> This technique has proven to be invaluable -- I recommend it to everyone.

I take note, thanks!

> > Commands and something extra:
> > root@pinux:~# grep crypt /etc/fstab
> > /dev/mapper/m2_root_crypt   /   ext4errors=remount-ro 0 
> >   1
> > /dev/mapper/m2_swap_crypt   noneswapsw  0   > > 0
> > /dev/mapper/ssd_dades_crypt /home/carles/dades  ext4
> > errors=remount-ro 0 1
> 
> Okay.
> 
> 
> > root@pinux:~# ls -l /dev/mapper/
> > total 0
> > crw--- 1 root root 10, 236 ago  1 23:34 control
> > lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_root_crypt -> ../dm-0
> > lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_swap_crypt -> ../dm-1
> > lrwxrwxrwx 1 root root   7 ago  1 23:34 ssd_dades_crypt -> ../dm-2
> 
> Okay.
> 
> 
> > root@pinux:~# mount | grep dades
> > /dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 
> > (rw,relatime,errors=remount-ro,data=ordered)
> 
> Okay.
> 
> 
> Please run the following command to learn more about the device mapper
> nodes:
> 
> # dmsetup info /dev/dm-*

root@pinux:~# dmsetup info /dev/dm-*
Name:  m2_root_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:1
Event number:  0
Major, minor:  254, 0
Number of targets: 1
UUID: CRYPT-LUKS1-4e655198a11147b3985b4622af7a2b0f-m2_root_crypt

Name:  m2_swap_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:2
Event number:  0
Major, minor:  254, 1
Number of targets: 1
UUID: CRYPT-LUKS1-564856408a04403191d46f1620cc2c9e-m2_swap_crypt

Name:  ssd_dades_crypt
State: ACTIVE
Read Ahead:256
Tables present:LIVE
Open count:1
Event number:  0
Major, minor:  254, 2
Number of targets: 1
UUID: CRYPT-LUKS1-8d1d855d17a74cf2b29486172e407e35-ssd_dades_crypt

I can't see anything obviously wrong.

Since the last emails here I've kept investigating. Quick overview if someone 
is interested here (and let me know if it's something else!).
After booting keyctl has this:

root@pinux:~# keyctl show
Session Keyring
 479651357 --alswrv  0 65534  keyring: _uid_ses.0
 712333474 --alswrv  0 65534   \_ keyring: _uid.0
 711077095 --alswrv  0 0   \_ user: cryptsetup
root@pinux:~# 

See the cryptsetup line. This is what would make systemd able to mount/umount 
without asking for the passphrase and I can just boot and do:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service

if the cryptsetup line is still there (it last I think 2.5 minutes) systemd 
second line is mounting the partition without me entering the password.

But the initial passwords are entered to initrd /lib/cryptsetup/askpass and
using plymouth for the password "asking" backend (not systemd related) and
actually if I boot with init=/bin/bash or break=init I would have the two (root
and swap) partitions mounted but no "dades" partition mounted either anything
in keyctl show.

So still a mystery how this is added there: by who, etc.

Any clues (or "you missed this obvious thing" are very welcomed!

Cheers,

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[David Christensen]

On 08/02/2018 12:07 AM, Carles Pina i Estany wrote:

On Aug/01/2018, David Christensen wrote:

On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt

...

The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.


My guess is that you made a mistake and stepped on your encrypted container
(ssd_dades_crypt?) when you created the new file system.  Did you keep a
copy of your console session?  Posting it would help.


Sadly I didn't keep a copy of my console session.


I got into the habit of cutting and pasting administrative console 
sessions into a log file (and putting the log file into a version 
control system).  This technique has proven to be invaluable -- I 
recommend it to everyone.




Commands and something extra:
root@pinux:~# grep crypt /etc/fstab
/dev/mapper/m2_root_crypt   /   ext4errors=remount-ro 0 
  1
/dev/mapper/m2_swap_crypt   noneswapsw  0   0
/dev/mapper/ssd_dades_crypt /home/carles/dades  ext4
errors=remount-ro 0 1


Okay.



root@pinux:~# ls -l /dev/mapper/
total 0
crw--- 1 root root 10, 236 ago  1 23:34 control
lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_root_crypt -> ../dm-0
lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_swap_crypt -> ../dm-1
lrwxrwxrwx 1 root root   7 ago  1 23:34 ssd_dades_crypt -> ../dm-2


Okay.



root@pinux:~# mount | grep dades
/dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 
(rw,relatime,errors=remount-ro,data=ordered)


Okay.


Please run the following command to learn more about the device mapper 
nodes:


# dmsetup info /dev/dm-*


David

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[deloptes]

Carles Pina i Estany wrote:

> Any more ideas please let me know

I stopped using systemd as init process - perhaps you try to boot with init
as proc 1 and see if you are asked 2 or 3 times, my bet would be 3 times.

regards

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/01/2018, David Christensen wrote:
> On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

> > The question is:
> > "Please unlock disk m2_root_crypt:"
> > 
> > I expcted to write the password three times.
> 
> Given your crypttab, above, I agree that you should have to enter three
> passphrases.

I've been investigating and I'm still puzzled.

The findings can be resumed:
a) If I boot the kernel with break=premount and then execute
/scripts/local-top/cryptroot: I need to enter the passphrase three times
as expected instead of two. Last one I see the prompt a bit different in
bold (probably comes from systemd?).

b) If I boot the kernel with the parameter "debug" and then I execute
journalctl I can see:
"""
ago 02 23:30:05 pinux systemd-cryptsetup[498]: Added key to keyring as 
604875905.
"""

And if I execute keyctl show:
root@pinux:~# keyctl show
Session Keyring
 935647640 --alswrv  0 65534  keyring: _uid_ses.0
 575581655 --alswrv  0 65534   \_ keyring: _uid.0
 604875905 --alswrv  0 0   \_ user: cryptsetup
root@pinux:~# 

If I wait a bit (more than 90 seconds was the default timeout?):
root@pinux:~# keyctl show
Session Keyring
 935647640 --alswrv  0 65534  keyring: _uid_ses.0
 575581655 --alswrv  0 65534   \_ keyring: _uid.0
root@pinux:~# 

But I thought that keyrings were only used by decrypt_keyctl in /etc/crypttab?
where is this added? My initrd doesn't have keyctl installed.

All of this might be a red herring...

Any more ideas please let me know,

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/02/2018, Matthew Crews wrote:
> On 8/1/18 3:47 PM, Carles Pina i Estany wrote:
> > 
> > Hi,
> > 
> > I have a Debian Stretch and recently I added a new cyphered partition.
> > All works well but I don't understand why and it's bothering me.
> 
> *snip*
> 
> > A question would be:
> > a) How to enter the passphrase only once?
> > b) When/where (scripts) and how is the passphrase stored?
> 
> a) Short version:
> 
> Use LVM to set up your partitions. This can be done in the installer.
> Have your overall hierarchy look like this:

I might do it another time - is that I'm more familiar (for when things
go wrong, and only because I have more experience) with usual partition
and not LVM and serve my purpose. As said, I might use LVM another time
:-)

I was asking "how to enter the passphrase only once" only to understand
why I'm entering it twice and not three times :-)

[...]

> b) Read the manpage for cryptsetup. It has everything you need to
> understand how LUKS encryption works.

When I read it and also the initrd scripts I didn't understand why I
need to type it twice only when I was expecting three times... if I need
to read again some specific section let me know. I'll have another look
just in case.

Thanks for the other information! It might be handy at some point! :-)

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

On Aug/01/2018, David Christensen wrote:
> On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:
> > Hi,
> 
> Hello.  :-)
> 
> 
> > I have a Debian Stretch and recently I added a new cyphered partition.
> > All works well but I don't understand why and it's bothering me.
> > 
> > Setup:
> > $ cat /etc/crypttab
> > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> > 
> > All three partitions have the same passphrase.
> > 
> > On restart I'm asked for two passwords:
> > m2_root_crypt
> > m2_swap_crypt
> 
> You should have set up your encrypted swap partition to use a random
> passphrase every boot.  (A side benefit is that you never have to enter a
> passphrase for swap.)

Well, I thought "I might do a later day" and "I can test hibernation
this way". I'm fine entering the password 3 times if needed, I don't
restart that often at all I use suspend.

> The Debian Installer for Stretch put the following line in my crypttab:
> 
> sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap

thanks I'll test it some day for fun :-)

> I changed the source device field to point to a path under
> /dev/disk/by-id so that my swap partition is found even if the
> /dev/sd* entries change (which can happen when I move or add disks):
> 
> sda2_crypt /dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_**-part2
> /dev/urandom cipher=aes-xts-plain64,size=256,swap
> 
> 
> > The question is:
> > "Please unlock disk m2_root_crypt:"
> > 
> > I expcted to write the password three times.
> 
> Given your crypttab, above, I agree that you should have to enter three
> passphrases.

this is what I'd like to know: why I need to enter the passphrase twice
and not three times.

> > My only theory is that after the root partition is decyphered it's also
> > mounted and then systemd-ask-password is used somehow (how?) and
> > --keyname= is used to "Configure a kernel keyring key name". I haven't
> > tested or seen scripts that do this.
> > 
> > I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
> > (where I can see the string "Please unlock disk") and I don't see
> > anything like this happening. Maybe initrd lib/cryptsetup/askpass is
> > doing it?
> > 
> > A question would be:
> > a) How to enter the passphrase only once?
> > b) When/where (scripts) and how is the passphrase stored?
> > 
> > This is just to know as the system is working perfectly.
> > 
> > Thanks for reading all of this!
> 
> My guess is that you made a mistake and stepped on your encrypted container
> (ssd_dades_crypt?) when you created the new file system.  Did you keep a
> copy of your console session?  Posting it would help.

Sadly I didn't keep a copy of my console session.

> Please run the following commands and post your console session (substitute
> DIR with the directory where your new file system is mounted):
> 
> # grep crypt /etc/fstab
> 
> # ll /dev/mapper
> 
> # mount | grep DIR

Commands and something extra:
root@pinux:~# grep crypt /etc/fstab 
/dev/mapper/m2_root_crypt   /   ext4errors=remount-ro 0 
  1
/dev/mapper/m2_swap_crypt   noneswapsw  0   0
/dev/mapper/ssd_dades_crypt /home/carles/dades  ext4
errors=remount-ro 0 1
root@pinux:~# ls -l /dev/mapper/
total 0
crw--- 1 root root 10, 236 ago  1 23:34 control
lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_root_crypt -> ../dm-0
lrwxrwxrwx 1 root root   7 ago  1 23:34 m2_swap_crypt -> ../dm-1
lrwxrwxrwx 1 root root   7 ago  1 23:34 ssd_dades_crypt -> ../dm-2
root@pinux:~# mount | grep DIR
root@pinux:~# mount | grep dades
/dev/mapper/ssd_dades_crypt on /home/carles/dades type ext4 
(rw,relatime,errors=remount-ro,data=ordered)
root@pinux:~# free -m
  totalusedfree  shared  buff/cache   available
Mem:  11711 9698622 1422119   10286
Swap: 12285   0   12285
root@pinux:~# cat /proc/swaps 
FilenameTypeSizeUsedPriority
/dev/dm-1   partition   125808600   
-1
root@pinux:~# lsblk 
NAMEMAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda   8:00   477G  0 disk  
└─sda18:10   477G  0 part  
  └─ssd_dades_crypt 254:20   477G  0 crypt /home/carles/dades
sdb   8:16   0   477G  0 disk  
├─sdb18:17   0   190M  0 part  /boot
├─sdb28:18   0 1K  0 part  
├─sdb58:21   012G  0 part  
│ └─m2_swap_crypt   254:1012G  0 crypt [SWAP]
└─sdb68:22   0 464,8G  0 part  
  └─m2_root_crypt   254:00 464,8G  0 crypt /

As said, I just want to understand why I'm typing it twice and not three times
:)

Thanks for any ideas!

-- 
Carles Pina i Estany
Web: 

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[David Christensen]

On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

Hi,


Hello.  :-)



I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt


You should have set up your encrypted swap partition to use a random 
passphrase every boot.  (A side benefit is that you never have to enter 
a passphrase for swap.)



The Debian Installer for Stretch put the following line in my crypttab:

sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap


I changed the source device field to point to a path under 
/dev/disk/by-id so that my swap partition is found even if the /dev/sd* 
entries change (which can happen when I move or add disks):


sda2_crypt 
/dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_**-part2 
/dev/urandom cipher=aes-xts-plain64,size=256,swap




The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.


Given your crypttab, above, I agree that you should have to enter three 
passphrases.




My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!


My guess is that you made a mistake and stepped on your encrypted 
container (ssd_dades_crypt?) when you created the new file system.  Did 
you keep a copy of your console session?  Posting it would help.



Please run the following commands and post your console session 
(substitute DIR with the directory where your new file system is mounted):


# grep crypt /etc/fstab

# ll /dev/mapper

# mount | grep DIR


David

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Matthew Crews]

On 8/1/18 3:47 PM, Carles Pina i Estany wrote:
> 
> Hi,
> 
> I have a Debian Stretch and recently I added a new cyphered partition.
> All works well but I don't understand why and it's bothering me.

*snip*

> A question would be:
> a) How to enter the passphrase only once?
> b) When/where (scripts) and how is the passphrase stored?

a) Short version:

Use LVM to set up your partitions. This can be done in the installer.
Have your overall hierarchy look like this:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sdaX) + /boot partition (likely /dev/sda1)
 |
LVM Physical Volume (/dev/LVM)
 |
LVM Logical Volumes (/dev/LVM/root mounted as /, and /dev/LVM/swap
mounted as /swap)


Long version:

Here is an example of how an encrypted LVM partition can look. We will
look at how I have it set up.

First, output of lsblk:

matthew@matt-tower:~$ lsblk /dev/sda
NAME  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda 8:00 465.8G  0 disk
├─sda1  8:10 953.7M  0 part  /boot
├─sda2  8:20 1K  0 part
└─sda5  8:50 464.8G  0 part
  └─sda5_crypt254:00 464.8G  0 crypt
├─root--swap-root 254:10   447G  0 lvm   /
└─root--swap-swap 254:20  17.8G  0 lvm   [SWAP]

sda1 is /boot (necessary as encrypted /boot is not really possible right
now), sda2 is an unused 1K partition (necessary due to partitioning
oddities, don't worry about it), and sda5 is my actual encrypted
partition. sda5 then has a LUKS encrypted partition called sda5_crypt.
Within the LUKS partition, is a LVM group called root-swap, which we can
see when we run pvdisplay::

matthew@matt-tower:~$ sudo pvdisplay
  --- Physical volume ---
  PV Name   /dev/mapper/sda5_crypt
  VG Name   root-swap
  PV Size   464.83 GiB / not usable 2.00 MiB
  Allocatable   yes (but full)
  PE Size   4.00 MiB
  Total PE  118995
  Free PE   0
  Allocated PE  118995
  PV UUID   XX------XX

Within this LVM group are two sub partitions, which act as my /root and
/swap partitions.

matthew@matt-tower:~$ sudo lvdisplay
  --- Logical volume ---
  LV Path/dev/root-swap/root
  LV Nameroot
  VG Nameroot-swap
  LV UUIDXX------XX
  LV Write Accessread/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:13 -0700
  LV Status  available
  # open 1
  LV Size447.04 GiB
  Current LE 114441
  Segments   1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 256
  Block device   254:1

  --- Logical volume ---
  LV Path/dev/root-swap/swap
  LV Nameswap
  VG Nameroot-swap
  LV UUIDXX------XX
  LV Write Accessread/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:19 -0700
  LV Status  available
  # open 2
  LV Size17.79 GiB
  Current LE 4554
  Segments   1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 256
  Block device   254:2

Lastly, the output of my /etc/crypttab and /etc/fstab

matthew@matt-tower:~$ cat /etc/crypttab
sda5_crypt UUID=ea2034e1-c550-466c-b9a4-61c40f0891b6 none luks

matthew@matt-tower:~$ cat /etc/fstab
#
/dev/mapper/root--swap-root /   ext4
discard,errors=remount-ro 0   1
# /boot was on /dev/sda1 during installation
UUID=5c24b6a3-f1ec-42b7-9d03-251295853167 /boot   ext2
noatime,nodiratime 0   2
/dev/mapper/root--swap-swap noneswapsw  0
0

Here is the overall hierarchy:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sda5)
 |
LVM Physical Volume (/dev/root-swap)
 |
LVM Logical Volumes (/dev/root-swap/root mounted as /, and
/dev/root-swap/swap mounted as /swap)

At boot time, /boot is automatically mounted, and when it is time to
mount /, it will ask for the LUKS partition password. Once unlocked, it
will mount the LVM physical volume, then subsequently mount both LVM
logical volumes in one swoop. One password for two logical partitions.



b) Read the manpage for cryptsetup. It has everything you need to
understand how LUKS encryption works.


Cheers,

-Matt