You are not logged in.
- Topics: Active | Unanswered
#1 Yesterday 20:16:48
- anacron
- Member
- Registered: 2020-01-26
- Posts: 37
Open multiple (RAID 1) GRUB cryptodisks with a single password
I have a new fully LUKS encrypted (including /boot) system using BTRFS RAID 1.
Currently, GRUB asks for a password twice: once for each disk. I want it to cache the password, so I only have to enter it once (both disks use the same password).
Note: I'm not talking about the decryption step done by the initial ramdisk---which is what all my search results talk about. I have that working correctly with a keyfile for each disk (I used to have to enter the same password four times lol).
The workflow currently looks like this:
Enter passphrase for hd6,gpt2 (8be693c7-c649-4e16-8559-b8c775153a0b):
Slot "0" opened
Enter passphrase for hd5,gpt2 (2793e446-6be1-422b-a308-825064834ff7):
Slot "0" opened
<Black Screen>
GNU GRUB version 2.12.r292
*Arch Linux
Advanced options for Arch Linux
<Black Screen>
Booting 'Arch Linux'
Loading Linux linux-lts ...
Loading initial ramdisk ...
<Black Screen>
Arch Linux 6.12.34-1-lts (tty1)
mycomputer login: I didn't find anything relevant in the wiki. I suspect I will need to edit the /boot/grub/grub.cfg file directly.
Last edited by anacron (Yesterday 20:21:23)
Offline
#2 Yesterday 20:26:37
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,550
Re: Open multiple (RAID 1) GRUB cryptodisks with a single password
Grub does not cache passphrases. You'd have to patch Grub. Alternatively you'd have to provide a keyfile, and somehow make Grub use it.
If this is early Grub (GRUB_ENABLE_CRYPTODISK) i.e. encrypted /boot encrypted grub.cfg then you'd have to modify the early grub.cfg (load.cfg). Which grub-install does not support. Modifying the encrypted grub.cfg would not help as its only loaded after the cryptodisk step.
Here's a rough direction how it could go https://unix.stackexchange.com/a/782975/30851
You could use some encrypted sector of disk A as keyfile for disk B or perhaps use Grub's (proc)/luks_script as keyfile after opening the first device (similar to decrypt_derived idea from Ubuntu).
There might be better methods.
Last edited by frostschutz (Yesterday 20:54:53)
Offline
#3 Yesterday 20:58:43
- anacron
- Member
- Registered: 2020-01-26
- Posts: 37
Re: Open multiple (RAID 1) GRUB cryptodisks with a single password
If this is early Grub (GRUB_ENABLE_CRYPTODISK) i.e. encrypted /boot encrypted grub.cfg.
It is.
You'd have to patch Grub.
Drat. Sounds like more trouble than it's worth. I'll only be rebooting this NAS once a week or so.
Still, good to know. Thank you!
Offline
#4 Yesterday 21:42:11
- WorMzy
- Administrator
- From: Scotland
- Registered: 2010-06-16
- Posts: 12,848
- Website
Re: Open multiple (RAID 1) GRUB cryptodisks with a single password
Mod note: Not an Installation Issue, moving to System Administration.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline