this post was submitted on 05 Sep 2024
19 points (95.2% liked)

Linux

5607 readers
112 users here now

A community for everything relating to the linux operating system

Also check out [email protected]

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago
MODERATORS
 

cross-posted from: https://programming.dev/post/19007507

For context:
I've encrypted the swap partition with:

cryptsetup -v luksFormat /dev/${DEVICE}
cryptsetup luksOpen /dev/${DEVICE} swap

And what I want is for the user to be able to enter their password only once to decrypt their root partition which would contain a keyfile to then decrypt their swap partition.

Does anyone know if this is possible?
Just thought I'd ask to see if anyone's done this already

Links:

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 4 months ago* (last edited 4 months ago) (1 children)

This would -at least as far as I understand it- limit your swap's functionality for hibernation etc. Because there your swap needs to be available early. You can still do it in theory, but the key file then would need to be included in you initrams, which kind of defeats the purpose.

There is however a much more easier option: either use LVM on luks (so the volume is decrypted with the password and then contains both, root and swap) or just use the same password for root and swap while switching over to the systemd hooks (as those encryption hooks try unlokcing everything with the first provided password by default, and only ask for additional password if this fails).

EDIT: Seeing that you crossposted this from an archlinux-specific community: You can find the guide here. It's for using a fully enrcypted system with grub as bootloader, but the details (in 8.3 and 8.4) are true for all boot methods. Replace the busybox hooks with their systemd equivalents (in minitcpio.conf for archlinux but again this isn't limited to that init system), then add "rd.luks.name=<your swap's uuid=swap" to your kernel parameters and also replace the "cryptdevice=UUID=<your root's uuid>:root" that should already be there for an encrypted system (that's the syntax for the busybox hook) with "rd.luks.name=<your root's uuid>=root". On startup you will be asked for your password as usual, but then both root and swap will be decrypted with it (PS: the sd-encrypt hook only tries this once... so if you screw up and misstype your password on the first try, you will then have to type it again two times, once for root, once for swap...)

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

@[email protected] @[email protected]
Thank you for your LVM on LUKS suggestion!
I was able to get it to work with GRUB and now it works in the same way as systemd where only 1 password input is required🤗

What I found to work is creating 3 partitions:

  1. [p0] boot
  2. [p1] EFI
  3. [p2] Root [LVM on LUKS]

after encrypting and creating the required volumes on p2,

  • I formatted both p0 and p1 as FAT32
  • formatted rootvol as Btrfs
    • mount rootvol to /mnt
      • mount p0 to /mnt/boot
        • mount p1 to /mnt/boot/efi

Now that the base system is done I'm working on a Detached LUKS USB system to further optimize for security after in which I'd be satisfied in knowing that if others use it they'll most likely be safe from most security hazards