Luks and slot2

hi folks,

i decided to use the installation with luks encryption of btrfs and swapfile on a EFi system. Nice is that the /boot is also encrypted. there is no boot-partition. I noticed that the header of the encrypted partition defined to key slots in fact 0 and 1. Why luks uses 2 slots. I have only 1 encrypted partition with 1 password. So when i kill the 2. slot i have to put my password in 2 times while booting. Why? Could someone explain?

One slot is for the password, second slot is for the keyfile which is normally store in β€˜/’. If the keyfile is missing you have to give the password a second time

Which keyfile? For what? I only define a password.

Please check if you have a file like /crypto_keyfile.bin
I believe this is created automatically to prevent multiple password queries.
And I also believe that it is part of your initramfs.

https://wiki.archlinux.org/title/dm-crypt/Device_encryption

the file exit, but i dont understand the procedure. why luks build 2 steps to unencrypt the partition? I get that grub uses the password for unencrypt a keyfile which is longer and used as decryption key. But for what the second slot?

Grub unlocks the partition so it can read the kernel and boot images. However, grub is separate from the rest of the boot process and so the operating system then needs to unlock the root when it starts to load. Without the keyfile, you would get asked for your password twice.

1 Like

I get a little bit more. The OS need also an Key to decrypt and encryt. This key is the key file under root β€œ/” or in the initram? In both points why need the os the slot 1?

My own found a fedora post to full disk encryption where the procedure is explained well.
https://sysguides.com/install-fedora-37-with-luks-full-disk-encryption/
The slot 1 defines that the partition is decryptable with a keyfile which is encrypted through the slot 0. So my own think it is save to use this constellation.

It is in both places when you use grub.

That is a bit different than how it works here since Fedora ships with a separate unencrypted /boot.

No, they show how to encrypted /boot, too.

We don’t have a separate /boot that needs to be encrypted so it is a bit different.

But the constellation is the same. U have no 2 slots, but there is the same challenge to decrypt root.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.