You are not logged in.
During system boot, I have to enter the encryption password multiple times. However, after the first correct decryption, I can keep pressing enter without entering the correct password and the system boots just fine.
Setup:
I have a setup with encrypted root partition using btrfs subvolumes. My partion layout is:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 477G 0 disk
├─nvme0n1p1 259:1 0 550M 0 part /efi
├─nvme0n1p2 259:2 0 8G 0 part
│ └─swap 254:1 0 8G 0 crypt [SWAP]
├─nvme0n1p3 259:3 0 466.4G 0 part
│ └─root 254:0 0 466.4G 0 crypt /home
└─nvme0n1p4 259:4 0 2G 0 part /bootMy fstab reads as follows:
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/root LABEL=bvol
UUID=39f14b5e-84c0-4ec0-871b-0ed0910977b1 / btrfs rw,relatime,compress=lzo,ssd,space_cache,subvolid=257,subvol=/@,subvol=@ 0 0
# /dev/mapper/root LABEL=bvol
UUID=39f14b5e-84c0-4ec0-871b-0ed0910977b1 /home btrfs rw,relatime,compress=lzo,ssd,space_cache,subvolid=259,subvol=/@home,subvol=@home0 0
# /dev/mapper/root LABEL=bvol
UUID=39f14b5e-84c0-4ec0-871b-0ed0910977b1 /.snapshots btrfs rw,relatime,compress=lzo,ssd,space_cache,subvolid=258,subvol=/@snapshots,subvol=@snapshots 0 0
# /dev/nvme0n1p1
UUID=E9F1-73D7 /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/nvme0n1p4
UUID=278554c0-9a4e-4eac-90a4-c9f6de1a72d4 /boot btrfs rw,relatime,ssd,space_cache 0 0
# swap
/dev/mapper/swap none swap defaults,discard 0 0Its basically the snappers setup.
the swap is encrypted as well with:
swap /dev/nvme0n1p2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256but I think this doesn't matter.
The problem exists, since I started using yubikey-full-disk-encryption as an alternative way of decrypting the root partition. Before, using only traditional password with encrypt hook in initramfs, this wasn't the case. I think this is, because the subvolumes are mounted with fstab and encrypt doesn't really understand, that the subvolumes are actually all on the same partition and encrypted only ones. However I don't know why it was working in the first place. I would assume ykfde makes no difference here.
The wiki suggests using a keyfile
but that would mean that I would need to have an encrypted boot partition as well or else the crypt key is part of the initframfs. Do I understand this correctly?
If this is true, then the whole exercise is pointless anyways, as I want to use yubikey for description, what is not supported by grub AFAIK. Further grub decryption is insainly slow and I would like to avoid it. Is there any other way, I can make this boot nicely only asking for the password once?
For the sake of completeness this is my mkinitcpio.conf:
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(i915)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=(/usr/bin/btrfs)
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base udev plymouth autodetect keyboard keymap consolefont modconf block ykfde plymouth-encrypt lvm2 filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()and my grub config:
# GRUB boot loader configuration
GRUB_DEFAULT=2
#GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:root"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y
# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true
#
#Hold shift to make grub appear
GRUB_FORCE_HIDDEN_MENU="true"
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires to
# set 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"
# Disable Submenu
GRUB_DISABLE_SUBMENU=yLast edited by deisi (2020-01-26 17:11:03)
Offline
I found out what is causing the multiple password dialogs. It is the exitance of both hooks ykfde and pylmouth-encrypt in the mkinitcpio.conf. After removing the latter I only need to enter the password once.
Offline