Encrypted root volume requires passphrase twice on boot

  • Open
  • quality assurance status badge
Details
3 participants
  • Jakub K?dzio?ka
  • Matthew Leach
  • Tobias Geerinckx-Rice
Owner
Somebody
Submitted by
Matthew Leach
Severity
wishlist
Merged with
M
M
Matthew Leach wrote on 4 Jan 2020 20:27
(address . bug-guix@gnu.org)
87pnfznhsw.fsf@mattleach.net
Hi Guix!

I've setup guix on two machines each one of them with an encrypted root
partition. However, on boot I'm prompted for my passphrase twice, once
before the grub menu is shown and second after Linux has started and
launched guile as init.

I would expect to have to only enter my passphrase once per boot.

Regards,
--
Matt
T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2020 20:56
87woa73shv.fsf@nckx
Matthew,

Matthew Leach ???
Toggle quote (8 lines)
> I've setup guix on two machines each one of them with an
> encrypted root
> partition. However, on boot I'm prompted for my passphrase
> twice, once
> before the grub menu is shown and second after Linux has started
> and
> launched guile as init.

Unfortunately, this is expected.

GRUB needs to decrypt the volume to load the Linux-Libre kernel
and initrd, and there's no agreed-upon secure way for GRUB to pass
the passphrase or key to the kernel/initrd. So you're prompted
for it again when the volume is actually mounted by the kernel.

Toggle quote (3 lines)
> I would expect to have to only enter my passphrase once per
> boot.

Most distributions hack around this limitation by including the
unencrypted LUKS key in the initrd on the encrypted volume itself.
Guix doesn't currently have any code to do the same.

This has been a problem for years but, by sheer coincidence, Jakub
K?dzio?ka (CC'd) mentioned that this was on their to-do list for
next week.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7fwACgkQ2Imw8BjF
STzz1BAAmRKTo4BglQMeIPAO3CPGC3QI12JVHztTubwJk2GgmRR2uTAXiGPG+Dxu
mmC/vabmqthHJBxT8hcHo6FqA3cX0zeEj4Y9c6R1JOQkawGY2ccceVXL7hkdVPN7
PXDUDjxk10oTSMU4Fb5TTM1Bu73otx10qy5nwj3KemSgVbHGxA1cGg+qlqG7N+9s
tikpUZPx35Yforitle2OuoX7LVxmQ5xhrk3e/DnoWgqeS/h803Brmqppkbxxj3dC
XBkJuXfMdj5cYleYqKWcluE2n0DFDNZTqwLNM0RrV1dea+lI8BY6oYjO+iWEUKnq
H+ycZ1tr/FgymPDhJkEA1SUmeWSGb+yjiBbsrtRFAElztqxNQ/SbSe92+ZfXIp+Q
tjqAJ+qlJDdx7ZtIfoSmsI0RuMw8fmy8ReKWrEKuCbuhNIFc82BCmhQYZCU/Emdg
VOI/6U1DglFMQgD8DPF3Y64xz7LwJf1SEfwovSNxAqT0yYbs9HHCFpm/UHheiu8/
xnHfjfYGqC0zG5XkAd4oP5OAt/G2x/CU6kB6BhWBwuXULSxSZZQfgHl3sZzKgbKv
Vvbd7G98atH0o/UlqKA8LEUFso1wZrkEWiaMGD+I5rQGKVBh8lRo8MZ+SPW9TJVG
tEsFRR57Zmb8CbDnaaKo063aktmfG8Ms/a0a55U5UhR4kFHjq+Y=
=hlQl
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2020 21:01
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
87tv5b3saq.fsf@nckx
severity 38924 wishlist
merge 32054 38924
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7v0ACgkQ2Imw8BjF
STz5yA/+L8+1vl2u7U6RLL1rzX3box8t4NI8Hu9r6vjx0iJmHy7j8mfd2cHWBxPH
ZIiP6sGDU77QFtbWkFJY6iRdzNRbn2I5zIw1l75shIp2fdrYkwWHq859zYVop3N2
xa2f+oY1/HVZH7vSs5g4tha6J2zyIBTtP8czg4n/4xTlQLAD1CQzxbqKM3afHMQ6
6xc3Z1MhYumC5SSuBvqM5hFKNlOSl3OlpKkfxLdFQjG472y6ISMOaCqKtd21C3KT
0wn1X8/UzxBC7gTflYCz8nx2OglzSkSmZsiYRmydWIcxa0iLBBzDiT4/z9KlFmN1
lpQvx+m8V6wZMh06hVsHiA+v/EUvdbA8vJP7NSAgyx3QyZRgE2IuYezfYcS16wA7
89Gisml0loqU5Ry0OOuwahHfYFikjhtnzAEwEjsjTk9HIuMHEEszWQpKKJ84p60d
yHsiW+NAMJmGTrHFUq3vzXenO9W7W4ahCrtoHXtZyhNUXPEYDfv0bzxdXjGeHAlj
L0jP77ZavafrcISVTprwvXtvSrMbMjqIG98w7UkaxJBKZwB2r9q48xlHL0U+GuOb
QKX8SInxiUAGRqjy0bbaSHlh52fUcT9Zw1mwZok9oeLMWzoD+m6wPIhrbo/ke8Ay
3fR/zoNzk6rsd1YqJXPxJz8bXBDpKknLtd6yLXGyp+7vn7lEEio=
=Shsz
-----END PGP SIGNATURE-----

J
J
Jakub K?dzio?ka wrote on 14 Jan 2020 01:02
Assigning bugs I will soon send patches for to myself (where soon = a few days)
(address . control@debbugs.gnu.org)
20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net
owner 38884 !
owner 32054 !
thanks
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 38924@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 38924
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch