I have to enter three passwords on boot. Can it be reduced to two?

Hi there,

I have installed Manjaro with my main partition and the swap partition encrypted. When I boot up, I need to enter my passphrase twice before I get to the KDE login screen.

Immediately after power up, I see this prompt:
20200630_180339_HDR

I enter the passphrase and wait approx. 10 seconds without any feedback. Hence, I see the grub boot menu. After choosing the default boot, I am prompted again for the disc passphrase:
20200630_180454

Then, after a short while, I finally see the KDE login screen:
20200630_180540~2

Question: Is it possible to avoid the first or second entering of the passphrase without compromising security?

Background:
My partition set-up:

[patrik-pc patrik]# lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1                                       259:0    0   477G  0 disk  
├─nvme0n1p1                                   259:1    0   300M  0 part  /boot/efi
├─nvme0n1p2                                   259:2    0 459,7G  0 part  
│ └─luks-3e6d6aad-d35e-41f3-b8a3-52743a72534c 254:0    0 459,7G  0 crypt /
└─nvme0n1p3                                   259:3    0    17G  0 part  
  └─luks-cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a 254:1    0    17G  0 crypt

Get rid of your swap partition and make a swapfile. Looks like you are having to enter in a passcode to unlock your main partition and then another for your /swap partition.

How to make a swapfile

Look into using a keyfile:
https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles

3 Likes

Adding to what @yosukemat is talking about.

We use encryption to minimize the risk of of stolen data if someone has physical access to our machine. So if someone steels your laptop and removes the hard drive, the data on it cannot be accessed. But if someone boots your laptop and all they have to bypass is your login password, and that is not a secure one ,you make it very easy to gain access to your data.

The best practice is when a machine is not in a secure location, do not auto-decrypt.

2 Likes

Not an answer to the question, but the KDE login screen can be skipped, too.

System settings -> Startup and Shutdown -> Login Screen -> Advanced -> User – Auto Login - checked

1 Like

But can't you put the decryption key for the second partition inside the first encrypted partition so that you have unlock the first partition to get access to the second? I thought that was the standard way of dealing with multiple encrypted partitions. I mean, what if you had 10 partitions? You probably wouldn't 10 passphrases every time you boot up. I thought that was what @yosukemat was referring to.

Alternatively, you could use a single crypt device which had both volumes inside of it but that would require major restructuring of your disks.

1 Like

Yes you are right. I should have clarified. My suggestion is not to use keyfiles for all the encrypted partitions. Just the second (SWAP) is fine. And that goes for any additional partitions/disks that might be added.

Thank you. This reduces the passwords to enter by one. I guess this is ok from a security perspective if used in conjunction with encrypted disks.

1 Like

As long as you make sure that locking the screen will make you still have to enter in a password.

This is an easy way to reduce it by one as well.

Thank you for the idea. However, I wanted to keep the swap partition. So I created a binary key file with
dd bs=512 count=4 if=/dev/random of=/etc/swap_keyfile iflag=fullblock

I added the keyfile to the partition's keys:
cryptsetup luksAddKey /dev/nvme0n1p3 /etc/swap_keyfile

The I edited my /etc/crypttab adding the keyfile:

# <name>               <device>                         <password> <options>
luks-cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a UUID=cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a     /etc/swap_keyfile  luks,allow-discards

And tadaaa, I only have to enter the boot partition's passphrase on boot.

Finally
swapon /dev/mapper/luks-cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a
makes the system use the swap partition.

Together with the auto-login tip, I am now down to entering only one passwort on boot.

This is better than I expected. Thank you so much folks!

2 Likes

What would happen now if you hibernate your system? When you wake your system up after hibernation, does it ask for the root partition password?
Essentially, my question is would this render encrypted swap useless?

Put it in fstab, and use a better name in crypttab. You can use a random key with a swap partition, unless you want to suspend.

# this is in my crypttab
swap   LABEL=swap	 /dev/urandom  swap,offset=2048,cipher=aes-xts-plain64,size=256,nofail,timeout=30

# fstab
/dev/mapper/swap   none   swap    defaults,pri=1   0       0

The pri=1 is only because I have 3 striped partitions, I've left out the other two as they're the same except for the names. I use LABELs for the swap partitions, because labeling means I don't have to edit my crypttab if the partitions (and so the UUIDs) get changed.

EDIT: Changed label to name to hopefully avoid further confusion.

What would happen now if you hibernate your system? When you wake your system up after hibernation, does it ask for the root partition password?
Essentially, my question is would this render encrypted swap useless?

Actually, I don't see an option to hibernate in the KDE menu. Anyway, I'm using standby usually. It's much faster in wake-up and my computer lasts for weeks in standby, so it's most convenient.

Put it in fstab, and use a better label in crypttab. You can use a random key with a swap partition, unless you want to suspend.

# this is in my crypttab
swap   LABEL=swap	 /dev/urandom  swap,offset=2048,cipher=aes-xts-plain64,size=256,nofail,timeout=30

# fstab
/dev/mapper/swap   none   swap    defaults,pri=1   0       0

I tried what you suggested, but failed.

# I have put this in my crypttab
luks-cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a LABEL=swap UUID=cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a     /etc/swap_keyfile  luks,allow-discards

# and this in my fstab
/dev/mapper/swap   none           swap    defaults,pri=1   0       0

Then, I got an error on booting (timeout for swap). Luckily, after a long time, it booted up anyway.

Close but not what I suggested, my bad, I was using the word 'label' for two different things. Perhaps 'name' would be better.

So the name, that you give to the unlocked partition, goes in the first column, the partition LABEL or UUID goes in the second column.

#  crypttab
# name      device label/uuid                          keyfile             options
swap     UUID=cd7cf6fc-e1d2-4e10-bca0-36b01bcbfa7a     /etc/swap_keyfile  luks,allow-discards

#  fstab
/dev/mapper/swap   none     swap    defaults     0   0

EDIT:

For the sake of clarity, if we assign the name dave in the 1st column of a crypttab entry, then the unlocked partition is made available as /dev/mapper/dave.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by