Hi.
I have two encrypted partitions, one at HDD other at SSD. But I'm tired of every boot to have to supply the same password for both.
The passwords are requested in OpenRC guided boot process. There's a way to configure dmcrypt init.d script to decrypt both at the same time? For now, the script treats each partition in fstab seems as having different keys of course.
Thanks!
Supply one password for multiple encrypted partitions luks
Message
- The Doctor
- Bodhisattva
- Posts: 2678
- Joined: Tue Jul 27, 2010 10:56 pm
You don't want one password per se.
The way this is handled is to add keyfiles to all the partitions except root. Root then opens and runs the dm_crypt service which uses the keyfiles to open all the other partitions. This way it is invisible to the user. Of course some configuration is required. If the root isn't safe put the key in the first encrypted partition. Then you only need one password.
I offer the manual
The way this is handled is to add keyfiles to all the partitions except root. Root then opens and runs the dm_crypt service which uses the keyfiles to open all the other partitions. This way it is invisible to the user. Of course some configuration is required. If the root isn't safe put the key in the first encrypted partition. Then you only need one password.
I offer the manual
First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
You can put the keyfile to the root of encrypted initrd image, and encrypt it with your masterpassword, then you will only decrypt the initrd image during boot, and everything else is done via init script of your initramfs.
https://wiki.gentoo.org/wiki/Custom_Initramfs
https://wiki.gentoo.org/wiki/Early_Userspace_Mounting
https://wiki.gentoo.org/wiki/Custom_Initramfs
https://wiki.gentoo.org/wiki/Early_Userspace_Mounting
I'm waking this thread to life again since I believe it to be relevant to the topic.
I have my root on one disk and home partition on another and I have to enter a password twice for the encrypted volumes when I boot now. I sort of like the idea of being able to access my home partition with a passphrase in case I would need to boot from a rescue USB stick and access anything from there. Would adding a keyfile override the passphrase option or could they exist in parallel, i.e. could I have Gentoo automatically mount my home partition using a keyfile and still access is using the passphrase if I would need to?
Thanks!
I have my root on one disk and home partition on another and I have to enter a password twice for the encrypted volumes when I boot now. I sort of like the idea of being able to access my home partition with a passphrase in case I would need to boot from a rescue USB stick and access anything from there. Would adding a keyfile override the passphrase option or could they exist in parallel, i.e. could I have Gentoo automatically mount my home partition using a keyfile and still access is using the passphrase if I would need to?
Thanks!
According to man cryptsetup, LUKS has 8 key slots. You can have up to 8 different ways to unlock the device. A key file on root, as described earlier in the thread, and an emergency password, would constitute 2 ways, leaving you 6 slots unused. You want to use luksAddKey, which will request an existing passphrase in order to obtain the encryption key, then will store a new copy of that encryption key sealed by the new key, which can be either a new passphrase or a key file.
Thanks for your replies! It wasn't obvious to me that key slots referred to keyfiles or passphrases but the example at the end actually answered that.Hu wrote:According to man cryptsetup, LUKS has 8 key slots. You can have up to 8 different ways to unlock the device. A key file on root, as described earlier in the thread, and an emergency password, would constitute 2 ways, leaving you 6 slots unused. You want to use luksAddKey, which will request an existing passphrase in order to obtain the encryption key, then will store a new copy of that encryption key sealed by the new key, which can be either a new passphrase or a key file.
Code: Select all
Example 2: Add an additional passphrase to key slot 5.
sudo cryptsetup luksAddKey --key-slot 5 /dev/sdXSo I added a keyfile in slot 1 with the passphrase still in slot 0 and I can luksOpen the device with both but there are no lvm volume found. The volume group is found using vgscan, lvs lists home as not active (-wi-------) and lvdisplay shows LV Status NOT available. Also when running mkfs I get a warning message that a file system is found.
It seems as if the volume has not been activated but I cannot find any /dev/vg2/ to try to active it. Any ideas on how to fix this? Running vgchange -a y vg2 gives me a Device or resource busy error message. Thanks!
It seems as if the volume has not been activated but I cannot find any /dev/vg2/ to try to active it. Any ideas on how to fix this? Running vgchange -a y vg2 gives me a Device or resource busy error message. Thanks!
- Princess Nell
- l33t
- Posts: 947
- Joined: Fri Apr 15, 2005 1:00 pm
hrnick, did you run into news item 2022-11-19? Your description sounds eerily familiar.
viewtopic-t-1160358.html
viewtopic-t-1160358.html