How does Endeavour decrypt two encrypted partitions at the same time?

During installation, if I created home and root partition and encrypted it with the same password, how does EndeavourOS know that it should decyrpt both of these two partitions at the same time?

When I tried doing that with Manjaro XFCE, Manjaro asked twice to decrypt both the root and home partition. What does EndeavourOS do differently?

:innocent: Maybe the question is what is Manjaro doing different?

2 Likes

I probably shouldn’t answer this as I don’t know this for fact, but rather a determination on my part after some research. Somewhat of an assumption.

The encrytion creates two keys, public and private. When you enter the password for the root directory you enter the public key password to allow it’s decryption. Then you can optionally have the public key for the home directory stored in an encrypted form on the root directory. Which will then pass the home directories public key for decrypting the home directory. Therefore you only enter one password.

If you don’t do this and require password entry for both partitions, then if one key gets broken or hacked, you still have the password protecting the second partition. Of course, if both passwords are the same, you just lost that advantage.

If you have the root directory pass the public key for decrypting the home directory, every thing is relying on the strength of the root directory password. So make it a good one.

Just playing around while testing a previous ISO I set up encryption for the root, home, and a partition on a separate SSD and gave all three partitions different passwords. When I logged in, I only entered the root encryption password.

As to what EndeavourOS does differently than Manjaro? That just seems to be the way that the Calamares devs decided to handle encryption during installs. If a person doesn’t prefer that method, they can wait until after install and manually encrypt their partitions.

Since he asked, I hear by assign unix_lover to do some research and either prove or disprove this assumption.

Pudge

3 Likes

Wait you can actually manually encrypt the root and partition, how is that possible, wouldn’t that require reformatting the partition?

I just came up with a random user name lol.

Short Answer: It all depends on what actually is encrypted. E. g. if your boot partition itself is encrypted then grub2 in this early stage uses your password only to access and start loading the kernel. All unlocking after this stage doesn’t use your password(s) but refers to keyfile(s) that was/were added at the time the system was set up. Think of it as automatic “chain-unlocking”.

You can check by running:
sudo cryptsetup luksDump /dev/sdXn
on a partition set up this way. The LUKS header will contain at least two keys (slot0 is usually your password, slot1 the keyfile).

The file /etc/crypttab contains the information regarding what partitions should be unlocked and which keyfiles to use. You could add a separate home and a backup or data partition here, which would then be unlocked one after the other during boot.

Refer to ArchWiki for further information.

4 Likes

Thank you! You have obviously read the article I couldn’t find again. Without re-reading the article, I could not remember the terminology with the slots. If I remember correctly, I believe there are 8 slots available?

Pudge

Correct, slot 0 to slot 7.

1 Like