cross-posted from: https://programming.dev/post/19007507

For context:
I’ve encrypted the swap partition with:

cryptsetup -v luksFormat /dev/${DEVICE}
cryptsetup luksOpen /dev/${DEVICE} swap

And what I want is for the user to be able to enter their password only once to decrypt their root partition which would contain a keyfile to then decrypt their swap partition.

Does anyone know if this is possible?
Just thought I’d ask to see if anyone’s done this already

Links:

  • @CMahaff
    link
    English
    23 months ago

    Doubling what Klaymore said, I’ve seen this “just work” as long as all partitions have the same password, no key files necessary.

    That said, if you needed to use a key file for some reason, that should work too, especially if your root directory is one big partition. Keep in mind too that the luks commands for creating a password-based encrypted partition vs a keyfile-based encrypted partition are different, so you can’t, for example, put your plaintext password into a file and expect that to unlock a LUKS partition that was setup with a password.

    But the kernel should be trying to mount your root partition first at boot time where it will prompt for the password. After that it would look to any /etc/crypttab entries for information about unlocking the other partitions. In that file you can provide a path to your key file, and as long as it’s on the same partition as the crypttab it should be able to unlock any other partitions you have at boot time.

    It is also possible, as one of your links shows, to automatically unlock even the root partition by putting a key file and custom /etc/crypttab into your initramfs (first thing mounted at boot time), but it’s not secure to do so since the initramfs isn’t (and can’t be) encrypted - it’s kind of the digital equivalent of hiding the house key under the door mat.