You are not logged in.
I have an encrypted /home and an encrypted backup drive, but / is not encrypted. I can unencrypt and mount /home at boot using /etc/crypttab, so that's no problem, but I end up having to mount the encrypted backup drive after logging in through the display manager. I would like to unlock the backup drive at boot by making referenced to a key stored on /home. The difficulty is, of course, that because it's encrypted, /home isn't actually mounted yet. Is there a way round this without resorting to an encrypted / ?
I'm particularly interested because I want today to switch my /home to a zfs zpool of 3 drives with encryption, so I don't want to have to type in 3 passwords at boot, but just one and have the others unlock using keyfiles.
I've read through the wiki, but I'm not seeing a straightforward way of doing this. Pointers?
Offline
https://github.com/systemd/systemd/blob/master/NEWS from release 227
* The "ask-password" framework used to query for LUKS harddisk
passwords or SSL passwords during boot gained support for
caching passwords in the kernel keyring, if it is
available. This makes sure that the user only has to type in
a passphrase once if there are multiple objects to unlock
with the same one. Previously, such password caching was
available only when Plymouth was used; this moves the
caching logic into the systemd codebase itself. The
"systemd-ask-password" utility gained a new --keyname=
switch to control which kernel keyring key to use for
caching a password in. This functionality is also useful for
enabling display managers such as gdm to automatically
unlock the user's GNOME keyring if its passphrase, the
user's password and the harddisk password are the same, if
gdm-autologin is used.
Looking at the source https://github.com/systemd/systemd/blob … -api.c#L63 it should keep the password cached in the kernel keyring for 2.5 minutes
So you should only have to type the password once for two encrypted volumes.
Offline