You are not logged in.

Pages: 1

#1 2017-03-17 18:47:03

emacsomancer
Member
Registered: 2014-09-20
Posts: 211

unlocking multiple partitions at boot with 1 passphrase?

I have an encrypted /home and an encrypted backup drive, but / is not encrypted.  I can unencrypt and mount /home at boot using /etc/crypttab, so that's no problem, but I end up having to mount the encrypted backup drive after logging in through the display manager.  I would like to unlock the backup drive at boot by making referenced to a key stored on /home. The difficulty is, of course, that because it's encrypted, /home isn't actually mounted yet.  Is there a way round this without resorting to an encrypted / ?

I'm particularly interested because I want today to switch my /home to a zfs zpool of 3 drives with encryption, so I don't want to have to type in 3 passwords at boot, but just one and have the others unlock using keyfiles.

I've read through the wiki, but I'm not seeing a straightforward way of doing this.  Pointers?

Offline

#2 2017-03-17 19:56:54

loqs
Member
Registered: 2014-03-06
Posts: 17,369

Re: unlocking multiple partitions at boot with 1 passphrase?

https://github.com/systemd/systemd/blob/master/NEWS from release 227

* The "ask-password" framework used to query for LUKS harddisk
              passwords or SSL passwords during boot gained support for
              caching passwords in the kernel keyring, if it is
              available. This makes sure that the user only has to type in
              a passphrase once if there are multiple objects to unlock
              with the same one. Previously, such password caching was
              available only when Plymouth was used; this moves the
              caching logic into the systemd codebase itself. The
              "systemd-ask-password" utility gained a new --keyname=
              switch to control which kernel keyring key to use for
              caching a password in. This functionality is also useful for
              enabling display managers such as gdm to automatically
              unlock the user's GNOME keyring if its passphrase, the
              user's password and the harddisk password are the same, if
              gdm-autologin is used.

Looking at the source https://github.com/systemd/systemd/blob … -api.c#L63 it should keep the password cached in the kernel keyring for 2.5 minutes
So you should only have to type the password once for two encrypted volumes.

Offline

Pages: 1

Board footer

Powered by FluxBB