I have LUKS encrypted root and swap partitions. Each time on boot, I’m prompted to enter passwords for each of the partitions. My question is, how can I skip entering password for swap? I tried to mess around with /etc/crypttab but to avail.
Looking at your output it shows that your root and your swap partition are both on separate partitions/partitions, so I don’t think that would be possible since they are separated luks devices using their own encryption keys(but I’m no encryption expert). So the easier option probably would be not use a swap partition but a swap file or zram or zswap, then you could remove the swap partition. If you do decide to do that it’s also useful to know it’s not possible to shrink/grow an encrypted partition with gparted, I have tried, because being it’s a locked partition and can’t move around the blocks that way.
I almost forgot, another option would be to recreate your current swap partition but without using encryption. I’m not sure how much added security an encrypted swap adds to your system.
So in short you have two options:
Use a swap file, zram or zwap instead of your current encrypted swap partition.
Recreate your swap partition but as an unencrypted swap partition.
I do believe its possible to unlock the swap partition according to this anwer, by using a keyfile accessible after unlocking the root partition. I did try to do some different things, however they simply did not work as they probably are some details im not too familiar with.
With regards to your first proposed option, i agree, i should have been using a swapfile from the start. However, i do not have too much experience with changing partition sizes etc.
With regards to your second proposed option, that would basically invalidate disk encryption if im doing hibernation (in some cases).
I didn’t know that, thanks for sharing! Like I said I’m no encryption expert, I just use it. But looking at the answer of that person it looks like they used a keyscript(decrypt_keyctl) in their /etc/crypttab file which caches the first password so that the second time you get a passphrase it passes it to for the next passphrase prompt or something like that. But I checked both the Ach repos and the AUR and that script is not available for Arch.
Yeah it would would. Then it will probably be best to go for option 1 and disable your current encrypted swap option from your fstab. To then use a swap file, zram or zswap.
I believe the second part of the answer addresses distributions that isn’t shipped with that script. In that case, the keyfile is identified after the root directory has been mounted. However, this is what i suspect the my problem to be: the volume not being mounted after entering LUKS password for the root partition… not sure.
To expand on this: I do think the EndeavorOS is meant to use this feature. After installing the OS, and selecting the option that I did want a swap partition, the swap partition has a keyslot in addition to the passphrase which is the file /crypto_keyfile.bin, located in /. In addition, /etc/crypttab looks like this:
It looks like in the second part they generated a key for the second partition and then added that key to the luksdevice of that partition. Then to finally add that partition to /etc/crypttab and the location where that key is store. So that when you unlock the root partition with the passphrase for the root partition the crypttab can then find the location of the key and then unlock the second partition, I think that key should then have no passphrase on it as well.
The second part shows how to do it for non Debian/Ubuntu distributions. Where it’s possible to create a key on your root filesystem. Add that key to your luks device and then point to the location of that key your crypttab, so that when you enter the passhprase for your root filesystem, it will then have access to unlock your second partition using that key defined for that luksdevice in your crypttab.
I will have to setup an EndeavourOS with with your partition setup to try it out to see what happens. But the easier option would probably to go with first option. It will take a bit for me to install vm with your setup.
It looks like no matter what I do the swap partition always gets decrypted first, even though it’s the second option in the crypttab. So probably the same reason why it didn’t work for you, not sure if there is a way to force the order of decryption for the devices in crypttab. Although that stackexchange answer you linked to said devices in crypttab are decryped in the the order that are listed.