From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#38924: Encrypted root volume requires passphrase twice on boot Date: Sat, 04 Jan 2020 20:56:44 +0100 Message-ID: <87woa73shv.fsf@nckx> References: <87pnfznhsw.fsf@mattleach.net> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:46331) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1inpXk-0008RF-B8 for bug-guix@gnu.org; Sat, 04 Jan 2020 14:57:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1inpXj-0002j3-Cj for bug-guix@gnu.org; Sat, 04 Jan 2020 14:57:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37450) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1inpXi-0002gG-8E for bug-guix@gnu.org; Sat, 04 Jan 2020 14:57:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1inpXi-0003vQ-7x for bug-guix@gnu.org; Sat, 04 Jan 2020 14:57:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87pnfznhsw.fsf@mattleach.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" Cc: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= , 38924@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Matthew, Matthew Leach =E5=86=99=E9=81=93=EF=BC=9A > I've setup guix on two machines each one of them with an=20 > encrypted root > partition. However, on boot I'm prompted for my passphrase=20 > twice, once > before the grub menu is shown and second after Linux has started=20 > and > launched guile as init. Unfortunately, this is expected. GRUB needs to decrypt the volume to load the Linux-Libre kernel=20 and initrd, and there's no agreed-upon secure way for GRUB to pass=20 the passphrase or key to the kernel/initrd. So you're prompted=20 for it again when the volume is actually mounted by the kernel. > I would expect to have to only enter my passphrase once per=20 > boot. Most distributions hack around this limitation by including the=20 unencrypted LUKS key in the initrd on the encrypted volume itself.=20 Guix doesn't currently have any code to do the same. This has been a problem for years but, by sheer coincidence, Jakub=20 K=C4=85dzio=C5=82ka (CC'd) mentioned that this was on their to-do list for= =20 next week. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7fwACgkQ2Imw8BjF STzz1BAAmRKTo4BglQMeIPAO3CPGC3QI12JVHztTubwJk2GgmRR2uTAXiGPG+Dxu mmC/vabmqthHJBxT8hcHo6FqA3cX0zeEj4Y9c6R1JOQkawGY2ccceVXL7hkdVPN7 PXDUDjxk10oTSMU4Fb5TTM1Bu73otx10qy5nwj3KemSgVbHGxA1cGg+qlqG7N+9s tikpUZPx35Yforitle2OuoX7LVxmQ5xhrk3e/DnoWgqeS/h803Brmqppkbxxj3dC XBkJuXfMdj5cYleYqKWcluE2n0DFDNZTqwLNM0RrV1dea+lI8BY6oYjO+iWEUKnq H+ycZ1tr/FgymPDhJkEA1SUmeWSGb+yjiBbsrtRFAElztqxNQ/SbSe92+ZfXIp+Q tjqAJ+qlJDdx7ZtIfoSmsI0RuMw8fmy8ReKWrEKuCbuhNIFc82BCmhQYZCU/Emdg VOI/6U1DglFMQgD8DPF3Y64xz7LwJf1SEfwovSNxAqT0yYbs9HHCFpm/UHheiu8/ xnHfjfYGqC0zG5XkAd4oP5OAt/G2x/CU6kB6BhWBwuXULSxSZZQfgHl3sZzKgbKv Vvbd7G98atH0o/UlqKA8LEUFso1wZrkEWiaMGD+I5rQGKVBh8lRo8MZ+SPW9TJVG tEsFRR57Zmb8CbDnaaKo063aktmfG8Ms/a0a55U5UhR4kFHjq+Y= =hlQl -----END PGP SIGNATURE----- --=-=-=--