Password query for /root with fully encrypted system

Support
1

Hello everyone,

My English is not so good, so here is a translation from deepl.

I want to reinstall Manjaro on my notebook with a fully encrypted system. I have followed this guide [root tip] [How To] Do a manual Manjaro installation, but encrypted the drives.

My partitions are:

sda1 - /boot/efi
sda2 - /boot - (LUKS 1) decrypted with password + keyfile
sda3 - swap - (LUKS 2) decrypted with keyfile (openswap.conf)
sda4 - /root - (LUKS 2) decrypted with keyfile (mkinitcipo.conf)
sdb1 - /home - (LUKS 2) decrypted with keyfile

After the installation is complete, the password for /boot is requested after the start. OK.
But then the password for /root (UUID=b338e30f-5c32-4e0c-a8a7-1ca87c6c6ae9) is requested. No matter what you enter here, /root will be mounted.

For testing purposes, I had Calamares create a system with the same partitions and settings. Here /root is also entered in /etc/cryptab. But here, too, the password request comes from /root.

Here are the following files:

lsblk 
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda             8:0    0   30G  0 disk  
├─sda1          8:1    0  512M  0 part  /boot/efi
├─sda2          8:2    0    1G  0 part  
│ └─cryptboot 254:2    0 1022M  0 crypt /boot
├─sda3          8:3    0    6G  0 part  
│ └─cryptswap 254:1    0    6G  0 crypt [SWAP]
└─sda4          8:4    0 22,5G  0 part  
  └─cryptroot 254:0    0 22,5G  0 crypt /
sdb             8:16   0   10G  0 disk  
└─sdb1          8:17   0   10G  0 part  
  └─crypthome 254:3    0   10G  0 crypt /home
sr0            11:0    1 1024M  0 rom
/etc/default/grub 
# GRUB boot loader configuration

GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=b338e30f-5c32-4e0c-a8a7-1ca87c6c6ae9:cryptroot root=/dev/mapper/cryptroot resume=UUID=26427ea3-f7d1-4c3d-80b2-46d14fdbcb5b udev.log_priority=3"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'menu' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=hidden

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Uncomment this option to enable os-prober execution in the grub-mkconfig command
#GRUB_DISABLE_OS_PROBER=false

# Uncomment to ensure that the root filesystem is mounted read-only so that
# systemd-fsck can run the check automatically. We use 'fsck' by default, which
# needs 'rw' as boot parameter, to avoid delay in boot-time. 'fsck' needs to be
# removed from 'mkinitcpio.conf' to make 'systemd-fsck' work.
# See also Arch-Wiki: https://wiki.archlinux.org/index.php/Fsck#Boot_time_checking
#GRUB_ROOT_FS_RO=true
/etc/mkinitcipo.conf 
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=(/crypto_keyfile.bin)

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect modconf kms keymap keyboard consolefont block encrypt openswap resume filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
#COMPRESSION="zstd"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"
/etc/openswap.conf 
## cryptsetup open $swap_device $crypt_swap_name
## get uuid using e.g. lsblk -f
swap_device=/dev/disk/by-uuid/778f8644-74d6-4d27-9147-8c204b72bef0
crypt_swap_name=cryptswap

## one can optionally provide a keyfile device and path on this device
## to the keyfile
keyfile_device=/dev/mapper/cryptroot
keyfile_filename=crypto_keyfile.bin

## additional arguments are given to mount for keyfile_device
## has to start with --options (if so desired)
#keyfile_device_mount_options="--options=subvol=__active/__"

## additional arguments are given to cryptsetup
## --allow-discards options is desired in case swap is on SSD partition
cryptsetup_options="--type luks"
/etc/crypttab 
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
cryptboot	UUID=ed8a1b36-9f1e-431b-9f8e-fc89a4197eb2	/crypto_keyfile.bin	luks
crypthome	UUID=38c8aaed-14a9-437e-b9fa-e611828ead49	/crypto_keyfile.bin	luks
/etc/fstab 
# /dev/mapper/cryptroot
UUID=8bf1cc62-b3fb-430a-ba7a-47421b97c508	/         	ext4      	rw,relatime	0 0

# /dev/mapper/cryptboot
UUID=27d217bf-7fad-48c9-acc6-da433198b35f	/boot     	ext4      	rw,relatime	0 0

# /dev/sda1
UUID=98D2-88DD      	/boot/efi 	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 0

# /dev/mapper/crypthome
UUID=51195a22-15cc-42e7-9a71-7237a9fa81e8	/home     	ext4      	rw,relatime	0 0

# /dev/mapper/cryptswap 
UUID=26427ea3-f7d1-4c3d-80b2-46d14fdbcb5b	swap	swap	defaults 0 0

Does anyone have a tip on how I can prevent the password request from /root?

2

Don’t overly complicate your installation K.I.S.S.

I am using an ultra simple construct with three partitions.

  1. EFI
  2. swap
  3. root

Overview
The recipe is based on user page from arch wiki - using btrfs

  • swap is encrypted on every boot with a random key
  • only root needs unlocking
  • the loader is a unified kernel image stored $esp
  • the loader is signed using a self generated certificate
  • the certificate is enrolled in firmware’s Secure Boot
  • the firmware is then password protected

The process is scripted and described at [root tip] [Utility Script] Encrypted Manjaro Linux using Verified Boot

1 Like
3

/root as a separate partition doesn’t really make sense - perhaps you meant / (the file system root)
onto which everything else is then mounted

cryptdevice=UUID=b338e30f-5c32-4e0c-a8a7-1ca87c6c6ae9:cryptroot

This should be the / (root) device, the device containing the / file system, no?

Which, according to /etc/fstab is:

# /dev/mapper/cryptroot
UUID=8bf1cc62-b3fb-430a-ba7a-47421b97c508

too complicated

4

@linux-aarhus

Yes, my setup is not simple. But most of the time I know what I’m doing.

These instruction are beyond my Linux knowledge.

@Nachlese

Sorry, yes everytime I wrote “/root” I mean “/”.

This is the UUID from /dev/sda4.

This is the UUID from /dev/mapper/cryptroot.

5

Just to ensure my understanding.

You are using grub to open a luks1 encrypted partition holding your boot.

The boot partition also holds a keyfile to open your remaining partitions, does this sound right?

Do you have both a keyfile and a passphrase on your root partition?

If so - does your first slot contain a password?

Without any knowledge on how cryptsetup processes keyslots - I imagine they are tried sequentially - first slot is password - invalid - next slot - keyfile - we have that one - open.

To eliminate the first keyslot containing a passphrase - you could wipe it - that should eliminate the second passphrase query.

1 Like
6

I change the keyslots.

Keyslot 0: keyfile
Keyslot 3: password

Unfortunately no changes in the boot process.

7

What do you expect will happen? If it can access the keyfile, then that’s it – it’s decrypted. Slots don’t add together – you validate any one and partition is decrypted.

8

That is correct - but as I understood - the prompt to unlock the root volume is unexpected as it should already be unlocked by the keyfile.

1 Like
9

Yes, that’s how it is

10

My suggestion was to remove the passphrase - from the root volume container - to force the only unlock method to key file.

If that produces a system that will not unlock - I suspect that Calamaras has used the passphrase for the boot volume as the means to unlock the root - and thus the keyfile is just for show.

11

I have removed the password from slot 3, but it continues to ask for the password. Apart from that, the system starts normally.

12

Hi, try to add this to your cmdline (in /etc/default/grub):
cryptkey=rootfs:/crypto_keyfile.bin
Issue sudo update-grub afterwards, of course.

13

No change. I give up and look for another solution.

14

I solved it this way: implement user mode secure boot, generate unified kernel images, sign them with my secure boot key, add tpm verification / auto-unlock on boot. Kernels are stored on the only unencrypted partition (/boot/efi or /efi), if they are tampered with, my system fails to boot (asks for a password that I don’t usually enter), and I know something is wrong. This also let me ditch grub for good and use only one LUKS v2 encrypted partition for /.

1 Like