[Question] Encrypted Partition Unlock via Root Unlocking (programming.dev)

submitted 2 months ago by recursive_recursion@programming.dev to c/linux@programming.dev

9 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/19007507

For context:
I've encrypted the swap partition with:
cryptsetup -v luksFormat /dev/${DEVICE}
cryptsetup luksOpen /dev/${DEVICE} swap
And what I want is for the user to be able to enter their password only once to decrypt their root partition which would contain a keyfile to then decrypt their swap partition.

Does anyone know if this is possible?
Just thought I'd ask to see if anyone's done this already

Links:

Dm-crypt Unlocking - With a keyfile embedded in the initramfs

Dm-crypt - Automated unlocking and mounting

you are viewing a single comment's thread
view the rest of the comments

[-] haroldstork@lemm.ee 4 points 2 months ago

Yes, very. I've seen people do a similar thing with a separate encrypted home partition which is decrypted by a key stored in your encrypted root. However, I'd strongly recommend you use an LVM on LUKS setup (this is what I do). That way you decrypt one partition and you don't have to mess around with keyfiles. https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

[-] recursive_recursion@programming.dev 2 points 2 months ago

I’ve seen people do a similar thing with a separate encrypted home partition which is decrypted by a key stored in your encrypted root.

Do you happen to have a link to this?

However, I’d strongly recommend you use an LVM on LUKS setup (this is what I do). That way you decrypt one partition and you don’t have to mess around with keyfiles. #LVM_on_LUKS

Looking at the wiki it seems doable (in relation to revising my script) and as far as I can tell the tradeoffs seems better than #LUKS on a partition

much appreciated for the recommendation!

[-] Ooops@feddit.org 1 points 2 months ago* (last edited 2 months ago)

There is a difference here.

Unlocking home later in the boot process is not a problem, so the you can indeed have a keyfile on your root and get your home unlocked and mounted after root is done.

Swap however needs to be available early, at least if you want to use it for hibernation.

this post was submitted on 05 Sep 2024

19 points (95.2% liked)

Linux

5278 readers

250 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev