From unknown Fri Jun 13 09:56:54 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#38924 <38924@debbugs.gnu.org> To: bug#38924 <38924@debbugs.gnu.org> Subject: Status: Encrypted root volume requires passphrase twice on boot Reply-To: bug#38924 <38924@debbugs.gnu.org> Date: Fri, 13 Jun 2025 16:56:54 +0000 retitle 38924 Encrypted root volume requires passphrase twice on boot reassign 38924 guix submitter 38924 Matthew Leach severity 38924 wishlist owner 38924 Jakub K=C4=85dzio=C5=82ka thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 04 14:27:35 2020 Received: (at submit) by debbugs.gnu.org; 4 Jan 2020 19:27:35 +0000 Received: from localhost ([127.0.0.1]:43394 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inp5D-00036P-16 for submit@debbugs.gnu.org; Sat, 04 Jan 2020 14:27:35 -0500 Received: from lists.gnu.org ([209.51.188.17]:34157) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inp5A-00036H-PU for submit@debbugs.gnu.org; Sat, 04 Jan 2020 14:27:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39091) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1inp59-0006p0-IX for bug-guix@gnu.org; Sat, 04 Jan 2020 14:27:32 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1inp58-0006Lo-Ih for bug-guix@gnu.org; Sat, 04 Jan 2020 14:27:31 -0500 Received: from mx0.mattleach.net ([176.58.118.143]:56992) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1inp58-0006JH-Ci for bug-guix@gnu.org; Sat, 04 Jan 2020 14:27:30 -0500 Received: by mx0.mattleach.net (Postfix, from userid 99) id 6600A61C91; Sat, 4 Jan 2020 19:27:29 +0000 (GMT) Received: from troi.mattleach.net (92.40.248.146.threembb.co.uk [92.40.248.146]) by mx0.mattleach.net (Postfix) with ESMTPSA id A8C8061C21 for ; Sat, 4 Jan 2020 19:27:28 +0000 (GMT) From: Matthew Leach To: bug-guix@gnu.org Subject: Encrypted root volume requires passphrase twice on boot User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) Date: Sat, 04 Jan 2020 19:27:27 +0000 Message-ID: <87pnfznhsw.fsf@mattleach.net> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 176.58.118.143 X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi Guix! I've setup guix on two machines each one of them with an encrypted root partition. However, on boot I'm prompted for my passphrase twice, once before the grub menu is shown and second after Linux has started and launched guile as init. I would expect to have to only enter my passphrase once per boot. Regards, -- Matt From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 04 14:56:49 2020 Received: (at 38924) by debbugs.gnu.org; 4 Jan 2020 19:56:49 +0000 Received: from localhost ([127.0.0.1]:43419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inpXV-0003uc-F9 for submit@debbugs.gnu.org; Sat, 04 Jan 2020 14:56:49 -0500 Received: from tobias.gr ([80.241.217.52]:37916) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inpXT-0003uR-B9 for 38924@debbugs.gnu.org; Sat, 04 Jan 2020 14:56:48 -0500 Received: by tobias.gr (OpenSMTPD) with ESMTP id 115d7668; Sat, 4 Jan 2020 19:56:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=OHPr46pc88MzGTHarT+aVE DyQ6f6wFU2GDJuXu1GGTg=; b=GPJt4pyFYuWLsZPbrRF5nmjyBDlldkzIeMaOLT BoX+2NMSNfjLMe2vOcCCk9/d/mYt90nF8iRu7F3+rqApZ9A0F6Piw5uav9KpdfVN sEut01+59N7tMoz0G7MALgFsxMH69xgT/NQXUVJ6Pci9SkqzwYG/TNeGfdAdtKVf thFgOhwN0WFY970CAh1pUgMJhJpCxSvDZ4EW0Uu5FFDD8M0JqWL6a0deGXQw3gPo zbJAyXHqaKnFVClTJCgbDmqyB3AD2ECHPuVqKItPfjv5H4vVSAXsgeX7VsFWBADN rFjvQffi3m4rIZ7cpSbcQPiy4Js1pDz1w2nS4Vjpjsq2Q5Dw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 901d9d8a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sat, 4 Jan 2020 19:56:45 +0000 (UTC) From: Tobias Geerinckx-Rice Subject: Re: bug#38924: Encrypted root volume requires passphrase twice on boot References: <87pnfznhsw.fsf@mattleach.net> In-reply-to: <87pnfznhsw.fsf@mattleach.net> Date: Sat, 04 Jan 2020 20:56:44 +0100 Message-ID: <87woa73shv.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -1.1 (-) X-Debbugs-Envelope-To: 38924 Cc: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= , 38924@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Matthew, Matthew Leach =E5=86=99=E9=81=93=EF=BC=9A > I've setup guix on two machines each one of them with an=20 > encrypted root > partition. However, on boot I'm prompted for my passphrase=20 > twice, once > before the grub menu is shown and second after Linux has started=20 > and > launched guile as init. Unfortunately, this is expected. GRUB needs to decrypt the volume to load the Linux-Libre kernel=20 and initrd, and there's no agreed-upon secure way for GRUB to pass=20 the passphrase or key to the kernel/initrd. So you're prompted=20 for it again when the volume is actually mounted by the kernel. > I would expect to have to only enter my passphrase once per=20 > boot. Most distributions hack around this limitation by including the=20 unencrypted LUKS key in the initrd on the encrypted volume itself.=20 Guix doesn't currently have any code to do the same. This has been a problem for years but, by sheer coincidence, Jakub=20 K=C4=85dzio=C5=82ka (CC'd) mentioned that this was on their to-do list for= =20 next week. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7fwACgkQ2Imw8BjF STzz1BAAmRKTo4BglQMeIPAO3CPGC3QI12JVHztTubwJk2GgmRR2uTAXiGPG+Dxu mmC/vabmqthHJBxT8hcHo6FqA3cX0zeEj4Y9c6R1JOQkawGY2ccceVXL7hkdVPN7 PXDUDjxk10oTSMU4Fb5TTM1Bu73otx10qy5nwj3KemSgVbHGxA1cGg+qlqG7N+9s tikpUZPx35Yforitle2OuoX7LVxmQ5xhrk3e/DnoWgqeS/h803Brmqppkbxxj3dC XBkJuXfMdj5cYleYqKWcluE2n0DFDNZTqwLNM0RrV1dea+lI8BY6oYjO+iWEUKnq H+ycZ1tr/FgymPDhJkEA1SUmeWSGb+yjiBbsrtRFAElztqxNQ/SbSe92+ZfXIp+Q tjqAJ+qlJDdx7ZtIfoSmsI0RuMw8fmy8ReKWrEKuCbuhNIFc82BCmhQYZCU/Emdg VOI/6U1DglFMQgD8DPF3Y64xz7LwJf1SEfwovSNxAqT0yYbs9HHCFpm/UHheiu8/ xnHfjfYGqC0zG5XkAd4oP5OAt/G2x/CU6kB6BhWBwuXULSxSZZQfgHl3sZzKgbKv Vvbd7G98atH0o/UlqKA8LEUFso1wZrkEWiaMGD+I5rQGKVBh8lRo8MZ+SPW9TJVG tEsFRR57Zmb8CbDnaaKo063aktmfG8Ms/a0a55U5UhR4kFHjq+Y= =hlQl -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 04 15:01:04 2020 Received: (at control) by debbugs.gnu.org; 4 Jan 2020 20:01:04 +0000 Received: from localhost ([127.0.0.1]:43434 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inpbc-0004uj-KG for submit@debbugs.gnu.org; Sat, 04 Jan 2020 15:01:04 -0500 Received: from tobias.gr ([80.241.217.52]:38100) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1inpbb-0004sp-29 for control@debbugs.gnu.org; Sat, 04 Jan 2020 15:01:03 -0500 Received: by tobias.gr (OpenSMTPD) with ESMTP id 5beb2df9 for ; Sat, 4 Jan 2020 20:01:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to :date:message-id:mime-version:content-type; s=2018; i= me@tobias.gr; bh=vW2UrwVwoYPPEZKhiW5DsjEfoeZrPHlSFWc4KPCBh0g=; b= B3agftmHsZDk/yNYRaZQIwlAibhyFBUPH1w9GPlzEeX8ApWOY9F+25qLKQfvV5xR MAmWC2U9TUTxwyciYZV3j/R/MY4GHcC0fPx7BS5mohhDdZFj7/3w9KwvfpYtah/a LAeG0PvcqMT10cVv790NsW5Sx7mKL870CbqW0Yi1TV/cY0DQNrfA7utIa+oycKSS raSCN2okntCu/I7QRWtmUcm/5Llyi0Euw99wT8k9yXRSlY9QJbgpcPut+g0mumSB u5zBxpKe8V6VoHrVsdO3uTMHjP1ch39DXjqWrPvcXpTl2CsfOcQmAOpX2IahR9qW dcKHpnOBkxH1D9/h0VQOcw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id ea6d2524 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sat, 4 Jan 2020 20:01:02 +0000 (UTC) From: Tobias Geerinckx-Rice To: GNU bug tracker automated control server Date: Sat, 04 Jan 2020 21:01:01 +0100 Message-ID: <87tv5b3saq.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.3 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.3 (-) --=-=-= Content-Type: text/plain; format=flowed severity 38924 wishlist merge 32054 38924 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7v0ACgkQ2Imw8BjF STz5yA/+L8+1vl2u7U6RLL1rzX3box8t4NI8Hu9r6vjx0iJmHy7j8mfd2cHWBxPH ZIiP6sGDU77QFtbWkFJY6iRdzNRbn2I5zIw1l75shIp2fdrYkwWHq859zYVop3N2 xa2f+oY1/HVZH7vSs5g4tha6J2zyIBTtP8czg4n/4xTlQLAD1CQzxbqKM3afHMQ6 6xc3Z1MhYumC5SSuBvqM5hFKNlOSl3OlpKkfxLdFQjG472y6ISMOaCqKtd21C3KT 0wn1X8/UzxBC7gTflYCz8nx2OglzSkSmZsiYRmydWIcxa0iLBBzDiT4/z9KlFmN1 lpQvx+m8V6wZMh06hVsHiA+v/EUvdbA8vJP7NSAgyx3QyZRgE2IuYezfYcS16wA7 89Gisml0loqU5Ry0OOuwahHfYFikjhtnzAEwEjsjTk9HIuMHEEszWQpKKJ84p60d yHsiW+NAMJmGTrHFUq3vzXenO9W7W4ahCrtoHXtZyhNUXPEYDfv0bzxdXjGeHAlj L0jP77ZavafrcISVTprwvXtvSrMbMjqIG98w7UkaxJBKZwB2r9q48xlHL0U+GuOb QKX8SInxiUAGRqjy0bbaSHlh52fUcT9Zw1mwZok9oeLMWzoD+m6wPIhrbo/ke8Ay 3fR/zoNzk6rsd1YqJXPxJz8bXBDpKknLtd6yLXGyp+7vn7lEEio= =Shsz -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 13 19:02:51 2020 Received: (at control) by debbugs.gnu.org; 14 Jan 2020 00:02:51 +0000 Received: from localhost ([127.0.0.1]:60414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ir9fW-0000GN-Sz for submit@debbugs.gnu.org; Mon, 13 Jan 2020 19:02:51 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:34952) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ir9fV-0000GF-6i for control@debbugs.gnu.org; Mon, 13 Jan 2020 19:02:49 -0500 Received: (qmail 15526 invoked by uid 1009); 14 Jan 2020 01:02:47 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25693. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.008591 secs); 14 Jan 2020 00:02:47 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 14 Jan 2020 01:02:47 +0100 Date: Tue, 14 Jan 2020 01:02:45 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: control@debbugs.gnu.org Subject: Assigning bugs I will soon send patches for to myself (where soon = a few days) Message-ID: <20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) owner 38884 ! owner 32054 ! thanks