Bug 1212853 - GRUB2 asking for passphrase twice again
Summary: GRUB2 asking for passphrase twice again
Status: RESOLVED DUPLICATE of bug 1205314
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Bootloader (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: E-mail List
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-29 11:01 UTC by Eyad Issa
Modified: 2023-08-18 10:45 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eyad Issa 2023-06-29 11:01:58 UTC 
Yesterday I reinstalled my Tumbleweed system, with crypted root and crypted swap. I now get again asked twice for my passphrase. 

I could follow what described in https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice, but last time I installed Tumbleweed there was no need (see https://bugzilla.opensuse.org/show_bug.cgi?id=1206710) for details.
Comment 1 Eyad Issa 2023-06-30 00:16:01 UTC 
Also, on the first install I didn't crypt the swap partition. On this one I did. Could that be it?
Comment 2 Eyad Issa 2023-06-30 10:45:19 UTC 
$ sudo cat /etc/crypttab
cr_root  UUID=c6fa6cc1-2c41-4a46-a8fb-eb589dd21264  none  x-initrd.attach
cr_swap  UUID=a7f32cc5-8fe2-4152-941c-a7f7448b4f02
Comment 3 Matt Weber 2023-06-30 23:49:10 UTC 
When you LUKS encrypt a standard artitions with a password, each partition that is LUKS encrypted will require the user to decrypt it with the password that was established during the LUKS setup.  So if you LUKS encrypt root, /home, and [SWAP], you would need to type 3 passwords during boot.  The only exception would be if @/home was a logical volume under root, in which case it would be decrypted once root is decrypted.    

Once other note: 
Since [SWAP] is encrypted, you may have difficulty resuming from a Hibernate sleep state if you ever put the system in Hibernate mode.  Personally I'm not sure why anyone would do this because it's faster to boot the system from a shutdown, so this is really just an FYI.
Comment 4 Eyad Issa 2023-07-01 00:27:03 UTC 
(In reply to Matt Weber from comment #3)
> So if you LUKS encrypt root,
> /home, and [SWAP], you would need to type 3 passwords during boot.  The only
> exception would be if @/home was a logical volume under root, in which case
> it would be decrypted once root is decrypted.    

So I guess the second password is for the swap, because the root partition should be handled automatically by GRUB passing the password to the initramfs.

> Once other note: 
> Since [SWAP] is encrypted, you may have difficulty resuming from a Hibernate
> sleep state if you ever put the system in Hibernate mode.  Personally I'm
> not sure why anyone would do this because it's faster to boot the system
> from a shutdown, so this is really just an FYI.

It was available on the setup and I decided to do it because if the PC gets stolen while hybernating it could means data is in swap. On the other hand, I will probably remove it and replace it with a btrfs swap subvolume.
Comment 5 Eyad Issa 2023-07-01 00:55:26 UTC 
Ok so:

- removing the swap partition
- removing the entry from /etc/crypttab and /etc/fstab
- running dracut -f to re-create the initramfs

I'm not asked two passwords anymore. Just the bootloader one.

So the conclusion is that the second password was asked because the swap was on a different LUKS partition.

I don't know why the setup creates two partitions by default.

I will add a note on the wiki.
Comment 6 Eyad Issa 2023-08-18 10:45:07 UTC 

*** This bug has been marked as a duplicate of bug 1205314 ***