[SOLVED] System asking for 3 passwords on boot

Zorbik · 2016-11-07 18:20:36

So first a little background. I just freshly installed Arch on my laptop. I followed the Installation Guide and the dm-crypt guide for installing a fully encrypted system (including boot).
Here is the general idea of the partitions:

+---------------+----------------+-----------------+-----------------+-----------------+
|ESP partition: |Boot partition: |Volume 1:        |Volume 2:        |Volume 3:        |
|               |                |                 |                 |                 |
|/boot/efi      |/boot           |root             |swap             |home             |
|               |                |                 |                 |                 |
|               |                |/dev/mapper/root |/dev/mapper/swap |/dev/mapper/home |
|/dev/sda1      |/dev/sda2       +-----------------+-----------------+-----------------+
|unencrypted    |LUKS encrypted  |/dev/sda3 encrypted using LVM on LUKS                |
+---------------+----------------+-----------------------------------------------------+

Here is my actual partition scheme:

NAME               TYPE  MOUNTPOINT
sda                disk
|-sda1             part  /boot/efi
|-sda2             part 
| |-cryptboot      crypt /boot
|-sda3             part
  |-lvm            crypt
    |-Vol-root     lvm   /
    |-Vol-swap     lvm   [SWAP]
    |-Vol-home     lvm   /home

After following the two guides above, I finish the install and boot my system.
First, grub asks me for my password (Good )
Arch begins to boot and loads fine
This then prompts me to enter my password for /dev/sda3 (encrypted root partition (also good )) I will remove the need for entering this password by creating a keyfile and embedding it in the initramfs
This is where the problem lies. The system should then allow me to log in, however it prompts me for yet another password...

Please enter passphrase for disk boot (cryptboot)!

Entering this password (same as password that is entered into grub), I am finally able to log in.
I know I shouldn't have to enter my password 3 times on boot just to be able to log in. I have had this setup working previously but I didn't think to save the configs.
This is what I put into crypttab (following the wiki)

cryptboot    /dev/sda2    none    luks

If I comment out this line, the system doesn't boot with lots of errors about dependencies missing (the partitions) (I can post these errors if requested).
I was under the assumption that the password I enter into GRUB unlocks the /boot partition however I might be mistaken.
In case the grub config is needed, the only two lines I edited in /etc/default/grub are:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID-of-/dev/sda3>:lvm root=/dev/mapper/Vol-root"
GRUB_ENABLE_CRYPTODISK=y

From there I ran

# grub-mkconfig -o /boot/grub/grub.cfg
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

I also didn't touch /boot/grub/grub.cfg.

Essentially, my question is: How do I remove the need to enter this third password?

Let me know if need more information. Thanks for the help as always guys

EDIT: On poweroff or reboot, I get

[FAILED] Stopped (with error) /dev/mapper/cryptboot

Upon further inspection I am not able to find anything leading to why it stopped with error. Might be a separate issue?

Last edited by Zorbik (2016-11-15 17:49:01)

fsckd · 2016-11-08 13:02:35

Zorbik wrote:

I was under the assumption that the password I enter into GRUB unlocks the /boot partition however I might be mistaken.

It unlocks it for GRUB. When you're asked again, that's for your running system.

Please also share your fstab.

Zorbik · 2016-11-08 16:52:45

fsckd wrote:

Please also share your fstab.

#
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>    <dump>  <pass>
# /dev/mapper/Vol-root
UUID=039299be-cb4e-408e=a42a-bcc47c3f265c    /              ext4        rw,realtime,data=ordered      0 1

# /dev/mapper/Vol-home
UUID=7dfc531c-7fad-4e72-a28d-aea2da7ddb03    /home          ext4        rw,realtime,data=ordered      0 2

# /dev/mapper/cryptboot
UUID=0a5974d5-b73b-4d23-b1a4-9fbf2c1daf1e    /boot          ext2        rw,realtime,block_validity,barrier,user_xattr,acl,stripe=4      0 2

# /dev/sda1
UUID=7DAF-0960          /boot/efi       vfat        rw,realtime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro      0 2

# /dev/mapper/Vol-swap
UUID=bd0bb73d-8eae-4173-89b6-2655d9676c4a    none           swap        defaults,discard      0 0

fsckd · 2016-11-08 18:37:27

There you go. It is mounting /boot which is why you are asked for a password again.

Zorbik · 2016-11-08 18:43:52

fsckd wrote:

There you go. It is mounting /boot which is why you are asked for a password again.

Isn't that what it should be doing though? The password that I enter into GRUB should be unlocking the boot partition so that I can boot into the system.
/boot is where the kernel images are, so seeing that my system is booting I assume that /boot is being unlocked by grub. Why would it relock itself requiring me to enter the password again?
Am I understanding this correctly?

fsckd · 2016-11-08 18:52:59

Zorbik wrote:

fsckd wrote:
There you go. It is mounting /boot which is why you are asked for a password again.
Isn't that what it should be doing though? The password that I enter into GRUB should be unlocking the boot partition so that I can boot into the system.
/boot is where the kernel images are, so seeing that my system is booting I assume that /boot is being unlocked by grub. Why would it relock itself requiring me to enter the password again?
Am I understanding this correctly?

Sorry I wasn't clear. It isn't unlocking like opening a safe or locked room. The password is needed to access the key to decrypt the luks container. GRUB is not going to pass that along as it could be a serious security issue. Remember, in Linux the decision to access the filesystem and the request for the password are made by userspace tools. AFAIK, there is no secure method for GRUB to transfer the credentials to the right userspace program.

Zorbik · 2016-11-08 19:09:58

fsckd wrote:

Sorry I wasn't clear. It isn't unlocking like opening a safe or locked room. The password is needed to access the key to decrypt the luks container. GRUB is not going to pass that along as it could be a serious security issue. Remember, in Linux the decision to access the filesystem and the request for the password are made by userspace tools. AFAIK, there is no secure method for GRUB to transfer the credentials to the right userspace program.

I'm confused because in the wiki it says:

(i.e. you have to enter it twice at boot: once for GRUB and once for systemd init)

This also worked in my last setup. I don't know what could have changed since then (it was only a couple months ago)
I used to only need to enter 2 passwords (one of which I eliminated the need for by using a keyfile) and everything worked perfectly.
This is the first time I have ever been prompted for a password after unlocking /root and before logging in.

fsckd · 2016-11-08 19:20:58

Zorbik wrote:

fsckd wrote:
Sorry I wasn't clear. It isn't unlocking like opening a safe or locked room. The password is needed to access the key to decrypt the luks container. GRUB is not going to pass that along as it could be a serious security issue. Remember, in Linux the decision to access the filesystem and the request for the password are made by userspace tools. AFAIK, there is no secure method for GRUB to transfer the credentials to the right userspace program.
I'm confused because in the wiki it says:
(i.e. you have to enter it twice at boot: once for GRUB and once for systemd init)

Reread what you quoted.

This also worked in my last setup. I don't know what could have changed since then (it was only a couple months ago)
I used to only need to enter 2 passwords (one of which I eliminated the need for by using a keyfile) and everything worked perfectly.
This is the first time I have ever been prompted for a password after unlocking /root and before logging in.

I don't know how you set up your last system and so I cannot comment on it. If you want to avoid entering the password twice, use a keyfile or use a smart card like Yubikey.

mleone87 · 2016-11-15 11:23:36

Simply the wiki is wrong, the mentioned setup asks 2 password only if boot is a logical volume itself.

So whats the point in asking 3 passwords with a setup that is completely useless and excessively complicated for the results?

p.s. one method to avoid the second password is mentioned in this blog post:

http://www.pavelkogan.com/2014/05/23/lu … ncryption/

Zorbik · 2016-11-15 16:41:03

mleone87 wrote:

Simply the wiki is wrong, the mentioned setup asks 2 password only if boot is a logical volume itself.
So whats the point in asking 3 passwords with a setup that is completely useless and excessively complicated for the results?

p.s. one method to avoid the second password is mentioned in this blog post:
http://www.pavelkogan.com/2014/05/23/lu … ncryption/

Where is the /boot partition in that blog post? Is it just /dev/sda1 even though that's where the lvm is?
Otherwise, my setup is very similar. Same commands to set up the lvm on luks and to create the keyfile used to unlock the lvm.
Maybe I'll consider reinstalling to see if the problem comes up again or if I had just messed up a command somewhere in the installation

mleone87 · 2016-11-15 17:17:48

This is my working 1 password setup, let me know if it fits your need

lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 56,5M 0 rom
sda 8:0 0 8G 0 disk
├─sda2 8:2 0 200M 0 part
│ └─cryptboot 254:3 0 198M 0 crypt /boot
├─sda3 8:3 0 7,7G 0 part
│ └─lvm 254:0 0 7,7G 0 crypt
│ ├─arch-swap 254:1 0 1G 0 lvm
│ └─arch-root 254:2 0 6,7G 0 lvm /
└─sda1 8:1 0 100M 0 part /boot/efi

##THIS IS IMPORTANT TO AVOI PASSWORD #1 e #2
/bootkeyfile.bin addedd to sda2 luks with luksAddKey method from blog post
/crypto_keyfile.bin added to sda3 luks with luksAddKey method from blog post

/etc/mkinitcpio.conf (I'm not sure if bookeyfile.bin is usefull there, crypto_keyfile.bin certainly is)
# FILES
FILES="/crypto_keyfile.bin /bootkeyfile.bin"
# HOOKS
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"

/etc/cryptab

cryptboot /dev/sda2 /bootkeyfile.bin

/etc/fstab

# /dev/mapper/arch-root
UUID=fd91ba11-52b8-4841-87c1-6c812e76885e / ext4 rw,relatime,data=ordered 0 1
# /dev/mapper/cryptboot
UUID=d93dbcea-8129-4ee4-8aba-0f95e477a23f /boot ext2 defaults 0 1
# /dev/sda1
UUID=28E5-ABB5 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2

this setup ask for passwords only one time(the password for sda2)

my problem is only cosmetical:

1) I want a better grub cryptounlock graphic
2) First unlock is a bit slower and password must be correct or it fails to grub rescue

Last edited by mleone87 (2016-11-15 17:21:56)

Zorbik · 2016-11-15 17:48:44

I guess creating another keyfile was all I needed to do. Thank you for helping me see through my stupidity

Problem is solved, making thread

Solution to the issue: Create 2 keyfiles, one for lvm and one for cryptboot. This only requires 1 password at boot

Arch Linux

#1 2016-11-07 18:20:36

[SOLVED] System asking for 3 passwords on boot

#2 2016-11-08 13:02:35

Re: [SOLVED] System asking for 3 passwords on boot

#3 2016-11-08 16:52:45

Re: [SOLVED] System asking for 3 passwords on boot

#4 2016-11-08 18:37:27

Re: [SOLVED] System asking for 3 passwords on boot

#5 2016-11-08 18:43:52

Re: [SOLVED] System asking for 3 passwords on boot

#6 2016-11-08 18:52:59

Re: [SOLVED] System asking for 3 passwords on boot

#7 2016-11-08 19:09:58

Re: [SOLVED] System asking for 3 passwords on boot

#8 2016-11-08 19:20:58

Re: [SOLVED] System asking for 3 passwords on boot

#9 2016-11-15 11:23:36

Re: [SOLVED] System asking for 3 passwords on boot

#10 2016-11-15 16:41:03

Re: [SOLVED] System asking for 3 passwords on boot

#11 2016-11-15 17:17:48

Re: [SOLVED] System asking for 3 passwords on boot

#12 2016-11-15 17:48:44

Re: [SOLVED] System asking for 3 passwords on boot

Board footer