Why Luks only asks for password once at boot for 2 devices?
Clash Royale CLAN TAG#URR8PPP up vote
0
down vote
favorite
I have the following lines in /etc/crypttab:
cryptswap1 /dev/sda2 none luks
hd-crypt UUID=xxxx none luks
and both use the same luks password.
The behaviour of Ubuntu upon boot is:
Please enter password for device cryptswap1.
Boot finishes.
hd-crypt is decrypted too (and mounted via fstab).
Which underlying technology ensures that hd-crypt is decrypted with the password of cryptswap? It is indeed the same password, but I don’t see which mechanism passes the password on and why Ubuntu does not ask me twice. I think this behaviour is great, as so I can protect all my disks via a strong password of swap which secures hibernate -resume (as upon resume all decrypted devices are still decrypted).
I have 2 ideas:
- Keyslot mechanism: both devices use keyslot 0
- some 60 second password caching is happening?
boot mount password encryption luks
asked Feb 3 at 13:06
Peter Fleix
719
add a comment |Â
up vote
0
down vote
favorite
I have the following lines in /etc/crypttab:
cryptswap1 /dev/sda2 none luks
hd-crypt UUID=xxxx none luks
and both use the same luks password.
The behaviour of Ubuntu upon boot is:
Please enter password for device cryptswap1.
Boot finishes.
hd-crypt is decrypted too (and mounted via fstab).
Which underlying technology ensures that hd-crypt is decrypted with the password of cryptswap? It is indeed the same password, but I don’t see which mechanism passes the password on and why Ubuntu does not ask me twice. I think this behaviour is great, as so I can protect all my disks via a strong password of swap which secures hibernate -resume (as upon resume all decrypted devices are still decrypted).
I have 2 ideas:
- Keyslot mechanism: both devices use keyslot 0
- some 60 second password caching is happening?
boot mount password encryption luks
asked Feb 3 at 13:06
Peter Fleix
719
What are to contents of your/lib/cryptsetup/scripts/decrypt_keyctl?
– Fabby
Feb 3 at 13:15
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have the following lines in /etc/crypttab:
cryptswap1 /dev/sda2 none luks
hd-crypt UUID=xxxx none luks
and both use the same luks password.
The behaviour of Ubuntu upon boot is:
Please enter password for device cryptswap1.
Boot finishes.
hd-crypt is decrypted too (and mounted via fstab).
Which underlying technology ensures that hd-crypt is decrypted with the password of cryptswap? It is indeed the same password, but I don’t see which mechanism passes the password on and why Ubuntu does not ask me twice. I think this behaviour is great, as so I can protect all my disks via a strong password of swap which secures hibernate -resume (as upon resume all decrypted devices are still decrypted).
I have 2 ideas:
- Keyslot mechanism: both devices use keyslot 0
- some 60 second password caching is happening?
boot mount password encryption luks
asked Feb 3 at 13:06
Peter Fleix
719
I have the following lines in /etc/crypttab:
cryptswap1 /dev/sda2 none luks
hd-crypt UUID=xxxx none luks
and both use the same luks password.
The behaviour of Ubuntu upon boot is:
Please enter password for device cryptswap1.
Boot finishes.
hd-crypt is decrypted too (and mounted via fstab).
Which underlying technology ensures that hd-crypt is decrypted with the password of cryptswap? It is indeed the same password, but I don’t see which mechanism passes the password on and why Ubuntu does not ask me twice. I think this behaviour is great, as so I can protect all my disks via a strong password of swap which secures hibernate -resume (as upon resume all decrypted devices are still decrypted).
I have 2 ideas:
- Keyslot mechanism: both devices use keyslot 0
- some 60 second password caching is happening?
boot mount password encryption luks
boot mount password encryption luks
asked Feb 3 at 13:06
Peter Fleix
719
asked Feb 3 at 13:06
Peter Fleix
719
edited Feb 3 at 13:28
asked Feb 3 at 13:06
Peter Fleix
719
asked Feb 3 at 13:06
Peter Fleix
719
asked Feb 3 at 13:06
Peter Fleix
719
719
What are to contents of your/lib/cryptsetup/scripts/decrypt_keyctl?
– Fabby
Feb 3 at 13:15
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51
add a comment |Â
What are to contents of your/lib/cryptsetup/scripts/decrypt_keyctl?
– Fabby
Feb 3 at 13:15
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51
What are to contents of your
/lib/cryptsetup/scripts/decrypt_keyctl?– Fabby
Feb 3 at 13:15
What are to contents of your
/lib/cryptsetup/scripts/decrypt_keyctl?– Fabby
Feb 3 at 13:15
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1002657%2fwhy-luks-only-asks-for-password-once-at-boot-for-2-devices%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What are to contents of your
/lib/cryptsetup/scripts/decrypt_keyctl?– Fabby
Feb 3 at 13:15
i copied it to pastebin: pastebin.com/HxUYQ8i9
– Peter Fleix
Feb 3 at 13:19
You're asking too many questions in one question... Abandoning answer, sorry, I don't know everything you want to know.
– Fabby
Feb 3 at 13:26
Edited, removed 2nd question.
– Peter Fleix
Feb 3 at 13:29
I'm not sure how luks works so posting as a comment and invite correction if I am wrong. Typically, the passphrase is not your decrypt key, but rater the password to a keyring that has the key stored in it. Thus, entering the password unlocks the keyring and gives access to the keys stored there for a certain amount of time. It is possible that all partitions/drives with the same passphrase are stored in the same keyring.
– ravery
Feb 3 at 13:51