I did my install of EOS around two years ago and at the time I chose encryption option. Now I am looking into see how this works (maybe do a arch install myself and implement it).
Maybe it is something similar to other distros, so sorry if it may seems off-topic to some people…
It seems like there are two keys setup on my / and /home paritions that are encrypted,
when I boot it ask for my passphrase, but there is also a crypto_keyfile.bin file in /etc/crypttab that are used at the boot time.
The thing I don’t understand is that how cryptsetup reads this file as it is at my / and it seems not possible to use it to open itself.
Can someone help me understand how it works (I have a basic understanding of how cryptsetup works and I used it on my other drives too , but my usage is simple so I don’t get into complexities that involve in this program that often)
The keyfile can be used instead of your passphrase to unlock encrypted partitions. If you move or delete the keyfile, you should still be able to boot normally but you will have to enter your passphrase for each encrypted device that needs to be unlocked.
If you look in /etc/dracut.conf.d/, you should see a config that Calamares (the installer) has set up for adding /etc/crypttab and /crypto_keyfile.bin to the initramfs.
/etc/dracut.conf.d/calamares-luks.conf
# Configuration file automatically written by the Calamares system installer
# (This file is written once at install time and should be safe to edit.)
# Enables support for LUKS full disk encryption with single sign on from GRUB.
# force installing /etc/crypttab even if hostonly="no", install the keyfile
install_items+=" /etc/crypttab /crypto_keyfile.bin "
When you boot your system, you get prompted for the initial unlock. That unlock provides access to the keyfile and /etc/crypttab, since they have been added to the image like this. From there, systemd can go ahead and unlock the devices in /etc/crypttab using the keyfile.
I see, so the first promp opens my / and from that it can use /etc/crypttab to decrypt my /home. It seems a bit confusing because both my / and /home partitions where defined in this file.
So all those 8 slots works in OR condition? never used in parallel, like getting a key and also asking for a password (I guess if one wants such a feature can just gpg encrypt the key file, but I am still ciruios how i supposed to use it correctly and what is the design behind it). Also, can enter a passphrase for one slot and later feed the passphrase to it as a key?
It tries to use the keyfile because that is what is specified in /etc/crypttab but you could also unlock it with a password. Likewise, if you wanted, you could remove the password and it would only be able to opened with the keyfile.
Yes, that is exactly what is happening in your case. Grub is using the passphrase to unlock your root partition. Then the initramfs unlocks it with the keyfile.
Is there a way to define a service to decrypt and mount a External Hard Drive one on USB connection? Seems like both crypttab and fstab work automatically only on boot.