How to enter passphrase only once on a full encrypted manjaro

xfce

#1

hello,

I have installed manjaro xfce with calamres and full disc encryption. Now I have to enter three times my passphrase while booting.

First query is
Attempting to decrypt master key…
Enter passphrase for hd0, gpt2 (asfjsdifohaspdoifhas8pdohgiusah)

Second query is
Please enter passphrase for disk HGST_FSJgoedsz08dsfzsd80fzh

between second and third:
A start job is running for Cryptography Setup for luks-sdjfoiashdfushfuodhfsdihf

Third query is the same like second.

My Swap is not decrypting correctly on boot. Don’t know why. If I enter the passwort three times and login to Manjaro with root passwort (for the fourth time!) the swap partition is still displayed encrypted.

So what I have to do that I have to enter the password only once? And does anybody know why my swap issn’t decrypting correctly? This triggers probably crashes/freezes on my system :\

Please help!


#2

I believe you can leave encryption off for SWAP since it’s basically like RAM, whatever’s in linuxswap get erased when turned off.


#3

Do you know how to do that the easiest?


#4

Check out /etc/crypttab, this is the place to add the passwords for the additional partitions.
“nano /etc/crypttab”

# <name>               <device>                         <password> <options>
luks-uuid                 UUID=uuid                    /crypto_keyfile.bin luks

You can add the password in clear text for testing purposes, or even better like in the example above point to a file which holds the password.

The question if you need to also encrypt swap is down to the attack scenario you want to address. If it’s just to keep the average thief away from your data clear text swap is probably acceptable. If you are dealing with sensitive data someone else may have an interests in I would go with encrypted swap.

Given that once it’s set up it doesn’t really matter if swap is encrypted or not I would always err on the secure side and go with encrypted swap, exactly what the Manjaro installer did.


#5

Let’s say I want to go with encrypted swap. Is it normal that have to enter my passphrase three times on booting? After login to Manjaro swap is still encrypted.

I’m only annoyed that I have to enter the password three times and swap is still encrypted. Don’t know if that is normal?

You can add the password in clear text for testing purposes, or even better like in the example above point to a file which holds the password.

I have two listings in /etc/crypttab

luks-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /crypto_keyfile.bin luks

luks-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 /crypto_keyfile.bin luks


#6

It is normal if you have different partitions encrypted. The way to avoid this is to do an encrypted lvm containing root home and swap. This would require a single decrypt passphrase, if you also set your desktop environment to autologin, and don’t have a power on passphrase for the laptop or desktop itself.


#7

Well, not sure what normal means in this context, it’s the way the system is configured, if you want it to behave differently we need to configure it differently.

The two entries in your crypttab file correspond with /etc/fstab.
One I guess is for / and the other for swap? Or maybe this is /home and there is no entry for swap?
I think it would be best if you post the content of both files.
And also the output of lsblk

There is nothing confidential about your uids, leave the values in so we can see how the fit together.

By the way my laptop has got 3 encrypted partitions on two physical disks, not using lvm and I add my password only once, to unlock /.
All the subsequent ones are defined in /etc/crypttab.


#8

My point was that most installers that do a single luks passphrase generally use an lvm setup by default since it provides a single crypttab entry. Calamares does not handle either luks or lvm very well, but it is getting better.


#9

I fully agree with that. I had to do a fresh install on my laptop today to replace a fault ssd and yes, took me a few installs until Calamares finally accepted my disk layout. :slight_smile:

a few times to do what I wanted it do to :slight_smile:


#10

I think so. I was not paying attention but I have no /home just /.

lsblk:

sda 8:0 0 465,8G 0 disk
├─sda1 8:1 0 300M 0 part /boot/efi
├─sda2 8:2 0 457,3G 0 part
│ └─luks-d8e617bb-6089-47a2-a142-942da3ea3e0a 254:0 0 457,3G 0 crypt /
└─sda3 8:3 0 8,1G 0 part
└─luks-abb087be-5d5c-4753-aba6-e83608fda6b2 254:1 0 8,1G 0 crypt
sr0 11:0 1 1024M 0 rom

/etc/crypttab

luks-d8e617bb-6089-47a2-a142-942da3ea3e0a UUID=d8e617bb-6089-47a2-a142-942da3ea3e0a /crypto_keyfile.bin luks
luks-abb087be-5d5c-4753-aba6-e83608fda6b2 UUID=abb087be-5d5c-4753-aba6-e83608fda6b2 /crypto_keyfile.bin luks

/etc/fstab

UUID=8626-E729 /boot/efi vfat defaults,noatime 0 2
/dev/mapper/luks-d8e617bb-6089-47a2-a142-942da3ea3e0a / ext4 defaults,noatime 0 1

Thanks for your help!


#11

Before we start fiddling around, do you have a backup?
And a live Manjaro USB stick in case you can’t boot the OS any longer?

Crypttab looks ok to me.
Your swap file seems to be missing from /fstab though.
You need an entry similar to the one for /

/dev/mapper/luks-abb087be-5d5c-4753-aba6-e83608fda6b2 swap swap  defaults 0 0 

Once the fstab entry is in, try

sudo mount -a

and see if this produces an error, I would expect your swap to be mounted after that command.

Not sure why you get asked to type in the password more than once. Crypttab refers to /crypto_keyfile.bin, which is where your password is stored. Can you check the file exists and is larger than 0 bytes?

ls -a /

#12

ls -a / --> is exists and is larger than 0 bytes.

sudo mount -a -> no error

Before we start fiddling around, do you have a backup? -> unfortunately no
And a live Manjaro USB stick in case you can’t boot the OS any longer? -> yes

Is it easier to format an reinstall manjaro?


#13

Reason why I asked for the backup is because I dont want you to loose your data. If this is fresh install the backup obviously doesnt matter.

With the change in fstab, does swap now get mounted when you boot?