Fresh install with disk encryption

Greetings,
Probably my last post for 2023 :slight_smile:
I have done a fresh install with latest Galileo ISO. I chose to encrypt the disk. Everything is working as expected. I just have a quick question.
When on the boot screen, I need to input my password ( the one for the disk encryption) twice. Anyone has any idea why ?
Any help is much appreciated and have a wonderful 2024 !!
PS → Thank you to all, for this beautiful, simplistic but very powerful Distro.

Probably you have two encrypted devices. Did you also encrypt swap?

You can avoid that by using a swapfile instead of a swap partition.

1 Like

Thanks @dalto for the reply.
No I have one SSD 2TB. I chose the option in the install menu to encrypt my system. I am guessing the entire drive is encrypted, including boot and swap.
If I had to venture a guess, the first time I input the pwd is to decrypt the drive and the second time probably to decrypt the boot partition ?

A little bit of context

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 1,8T 0 disk
├─nvme0n1p1 259:2 0 1000M 0 part /efi
├─nvme0n1p2 259:3 0 1,8T 0 part
│ └─luks-0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45 254:0 0 1,8T 0 crypt /
└─nvme0n1p3 259:4 0 68,4G 0 part
└─luks-f6e87f29-41db-4c7f-801e-6e15d5c067df 254:1 0 68,4G 0 crypt [SWAP]
nvme1n1 259:1 0 953,9G 0 disk

luks-0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45 UUID=0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45 /crypto_keyfile.bin luks
luks-f6e87f29-41db-4c7f-801e-6e15d5c067df UUID=f6e87f29-41db-4c7f-801e-6e15d5c067df /crypto_keyfile.bin luks

systemctl status systemd-cryptsetup@*
● systemd-cryptsetup@luks\x2df6e87f29\x2d41db\x2d4c7f\x2d801e\x2d6e15d5c067df.service - Cryptography Setup for luks-f6e87f29-41db-4c7f-801e-6e15d5c067df
Loaded: loaded (/etc/crypttab; generated)
Active: active (exited) since Sun 2023-12-31 09:33:00 CET; 25min ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Main PID: 511 (code=exited, status=0/SUCCESS)
CPU: 7.193s

déc. 31 09:32:30 rocinante systemd[1]: Starting Cryptography Setup for luks-f6e87f29-41db-4c7f-801e-6e15d5c067df…
déc. 31 09:32:30 rocinante systemd-cryptsetup[511]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f6e87f29-41db-4c7f-801e-6e15d5c067df.
déc. 31 09:32:30 rocinante systemd-cryptsetup[511]: Failed to activate, key file ‘/crypto_keyfile.bin’ missing.
déc. 31 09:32:58 rocinante systemd-cryptsetup[511]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f6e87f29-41db-4c7f-801e-6e15d5c067df.
déc. 31 09:33:00 rocinante systemd[1]: Finished Cryptography Setup for luks-f6e87f29-41db-4c7f-801e-6e15d5c067df.

● systemd-cryptsetup@luks\x2d0dfb0ebc\x2dcf6d\x2d47c7\x2dacc4\x2d3c43d4aedd45.service - Cryptography Setup for luks-0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45
Loaded: loaded (/etc/crypttab; generated)
Active: active (exited) since Sun 2023-12-31 09:32:49 CET; 25min ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Main PID: 510 (code=exited, status=0/SUCCESS)
CPU: 7.206s

déc. 31 09:32:30 rocinante systemd[1]: Starting Cryptography Setup for luks-0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45…
déc. 31 09:32:30 rocinante systemd-cryptsetup[510]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45.
déc. 31 09:32:30 rocinante systemd-cryptsetup[510]: Failed to activate, key file ‘/crypto_keyfile.bin’ missing.
déc. 31 09:32:47 rocinante systemd-cryptsetup[510]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45.
déc. 31 09:32:49 rocinante systemd[1]: Finished Cryptography Setup for luks-0dfb0ebc-cf6d-47c7-acc4-3c43d4aedd45.

I guess you were correct @dalto. SWAP is also encrypted and this is the reason why I have to type the same password twice.
I am using hibernation. Is using a swap file not very ideal for hibernation ?
Isn’t there a simpler way ? For ex, create another unencrypted swap partition ?

Was trying to add keyfile to the swap partition. I guess the simplest approach.

  1. Create an empty key file.
    sudo touch /.root.key

Only root should be able to read this file.
sudo chmod 600 /.root.key

  1. Generate the key.
    sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1

  2. Add the key file as a valid way to decrypt your root partition.
    sudo cryptsetup luksAddKey /dev/sda1 /.root.key

  3. Edit /etc/crypttab,
    UUID=… /.root.key

I am getting ‘Failed to activate, key file ‘/.root.key’ missing’. I guess its not finding the key for whatever reason. Typing my password does let me in.

Any ideas ?

That is probably because the keyfile isn’t in your initrd. Create file name /etc/dracut.conf.d/encswap.conf with the following contents:

install_items+=" /etc/crypttab /.root.key "

Then run sudo dracut-rebuild

1 Like

Thanks @dalto
added /etc/dracut.conf.d/99-root-key.conf. Rebuilt dracut. I now have to type once my password. Its to decrypt the disk. SWAP is automatically decrypted.
Lesson Learnt → When you do a full disk encryption, SWAP is also being encrypted and this will trigger a password request.
I have read that if you use LVM it solves the issue. I could not find a definite guide. Is that the case ?

You could use LVM to solve that issue but I think the solution you used makes more sense.

Honestly, I have no idea why I never considered just not adding the keyfile to the root volume.

We should probably just change the installer to do this by default.

1 Like