Laptop with two LUKS encrypted disks: HDD and SSD: How to start with same passphrase?












3















In my Linux laptop I've two disks:
One larger conventional HDD and a smaller but fast SSD.

On the SSD I've a small unencrypted /boot-Partition containung kernels, initrd images and GRUB. All remaining stuff (including the Linux /, swap, /home, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab. Everything works just fine.



But during booting I've to enter two passphrases to activate both LUKS container.



Since I've used the same pass phrase for both disks I'm now looking for a clever and secure way whichs allows me to start both disks by entering the passphrase only once during boot. Any ideas?



I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file. But I fear this keyfile might leak somehow (possibly
it might show up in the initrd images on unencrypted /boot/ partition?).






linux encryption luks







share|improve this question




















  • 1





    I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

    – Tom Yan
    Mar 23 '16 at 18:49













  • That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

    – davidgo
    Mar 23 '16 at 19:18











  • Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

    – pefu
    Mar 25 '16 at 16:33
















3















In my Linux laptop I've two disks:
One larger conventional HDD and a smaller but fast SSD.

On the SSD I've a small unencrypted /boot-Partition containung kernels, initrd images and GRUB. All remaining stuff (including the Linux /, swap, /home, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab. Everything works just fine.



But during booting I've to enter two passphrases to activate both LUKS container.



Since I've used the same pass phrase for both disks I'm now looking for a clever and secure way whichs allows me to start both disks by entering the passphrase only once during boot. Any ideas?



I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file. But I fear this keyfile might leak somehow (possibly
it might show up in the initrd images on unencrypted /boot/ partition?).






linux encryption luks







share|improve this question




















  • 1





    I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

    – Tom Yan
    Mar 23 '16 at 18:49













  • That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

    – davidgo
    Mar 23 '16 at 19:18











  • Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

    – pefu
    Mar 25 '16 at 16:33














3












3








3








In my Linux laptop I've two disks:
One larger conventional HDD and a smaller but fast SSD.

On the SSD I've a small unencrypted /boot-Partition containung kernels, initrd images and GRUB. All remaining stuff (including the Linux /, swap, /home, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab. Everything works just fine.



But during booting I've to enter two passphrases to activate both LUKS container.



Since I've used the same pass phrase for both disks I'm now looking for a clever and secure way whichs allows me to start both disks by entering the passphrase only once during boot. Any ideas?



I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file. But I fear this keyfile might leak somehow (possibly
it might show up in the initrd images on unencrypted /boot/ partition?).






linux encryption luks







share|improve this question
















In my Linux laptop I've two disks:
One larger conventional HDD and a smaller but fast SSD.

On the SSD I've a small unencrypted /boot-Partition containung kernels, initrd images and GRUB. All remaining stuff (including the Linux /, swap, /home, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab. Everything works just fine.



But during booting I've to enter two passphrases to activate both LUKS container.



Since I've used the same pass phrase for both disks I'm now looking for a clever and secure way whichs allows me to start both disks by entering the passphrase only once during boot. Any ideas?



I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file. But I fear this keyfile might leak somehow (possibly
it might show up in the initrd images on unencrypted /boot/ partition?).






linux encryption luks




linux encryption luks






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 20 '17 at 10:04









Community

1




1










asked Mar 23 '16 at 18:18









pefupefu

1357




1357








  • 1





    I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

    – Tom Yan
    Mar 23 '16 at 18:49













  • That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

    – davidgo
    Mar 23 '16 at 19:18











  • Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

    – pefu
    Mar 25 '16 at 16:33














  • 1





    I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

    – Tom Yan
    Mar 23 '16 at 18:49













  • That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

    – davidgo
    Mar 23 '16 at 19:18











  • Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

    – pefu
    Mar 25 '16 at 16:33








1




1





I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

– Tom Yan
Mar 23 '16 at 18:49







I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).

– Tom Yan
Mar 23 '16 at 18:49















That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

– davidgo
Mar 23 '16 at 19:18





That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)

– davidgo
Mar 23 '16 at 19:18













Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

– pefu
Mar 25 '16 at 16:33





Today I found out that Michael Gebetsroither <michael@mgeb.org> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.

– pefu
Mar 25 '16 at 16:33










1 Answer
1






active

oldest

votes


















1














That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1056546%2flaptop-with-two-luks-encrypted-disks-hdd-and-ssd-how-to-start-with-same-passph%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.






    share|improve this answer




























      1














      That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.






      share|improve this answer


























        1












        1








        1







        That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.






        share|improve this answer













        That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 31 '18 at 14:15









        RseveroRsevero

        112




        112






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1056546%2flaptop-with-two-luks-encrypted-disks-hdd-and-ssd-how-to-start-with-same-passph%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Plaza Victoria

            Image
            Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
            Read more

            Puebla de Zaragoza

            Image
            Para otros usos de este término, véase Puebla (desambiguación). Heroica Puebla de Zaragoza Localidad De arriba a abajo de izquierda a derecha: Estrella de Puebla, Volcán Popocatépetl, Catedral de Puebla, Monumento a Ignacio Zaragoza, Estadio Cuauhtémoc, Angelópolis y Vista panorámica de la ciudad. Escudo Otros nombres: El relicario de América/ La ciudad de los Ángeles/ La Angelópolis Lema: Muy noble y muy leal ciudad de Puebla de los Ángeles Heroica Puebla de Zaragoza Localización de Heroica Puebla de Zaragoza en México Heroica Puebla de Zaragoza Localización de Heroica Puebla de Zaragoza en Puebla Mapa interactivo Coordenadas 19°03′05″N 98°13′04″O  /  19.051388888889, -98.217777777778 Coordenadas: 19°03′05″N 98°13′04″O  /  19.051388888889, -98.217777777778 Idioma oficial Español Entidad Localidad  • País   México  • Estado Puebla  • Municipio Puebla Presidente municipal Claudia Rivera Vivanc
            Read more

            Musa

            Image
            Para el género de plantas, véase Musa (planta). Apolo y la Nueve Musas En la mitología griega, las musas (en griego antiguo μοῦσαι « mousai» ) son, según los escritores más antiguos, las divinidades inspiradoras de las Artes: cada una de ellas está relacionada con ramas artísticas y del conocimiento. Son hijas de Zeus y de Mnemósine, compañeras del séquito de Apolo, dios olímpico de la música y patrón de las bellas artes, quien tuvo romances con cada una de ellas, dejando descendientes. Bajaban a la tierra a susurrar ideas e inspirar a aquellos mortales que las invocaran. En la época más arcaica eran las ninfas inspiradoras de las fuentes, en las cuales eran adoradas. Finalmente, alrededor de los siglos VIII-VII a. C. [ 1 ] ​ prevaleció en todo el territorio de la Hélade la adoración de las nueve Musas, que son Calíope, Clío, Erato, Euterpe, Melpómene, Polimnia, Talía, Terpsícore y Urania. El culto a las musas era originalmente de Tracia y Beocia, y fueron de vital impo
            Read more