GNU bug report logs - #38924
Encrypted root volume requires passphrase twice on boot

Previous Next

Package: guix;

Reported by: Matthew Leach <matthew <at> mattleach.net>

Date: Sat, 4 Jan 2020 19:28:02 UTC

Owned by: Jakub Kądziołka <kuba <at> kadziolka.net>

Severity: wishlist

Merged with 32054

Full log

View this message in rfc822 format

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: Jakub Kądziołka <kuba <at> kadziolka.net>, 38924 <at> debbugs.gnu.org
Subject: bug#38924: Encrypted root volume requires passphrase twice on boot
Date: Sat, 04 Jan 2020 20:56:44 +0100

[Message part 1 (text/plain, inline)]
Matthew,

Matthew Leach 写道:
> I've setup guix on two machines each one of them with an 
> encrypted root
> partition. However, on boot I'm prompted for my passphrase 
> twice, once
> before the grub menu is shown and second after Linux has started 
> and
> launched guile as init.

Unfortunately, this is expected.

GRUB needs to decrypt the volume to load the Linux-Libre kernel 
and initrd, and there's no agreed-upon secure way for GRUB to pass 
the passphrase or key to the kernel/initrd.  So you're prompted 
for it again when the volume is actually mounted by the kernel.

> I would expect to have to only enter my passphrase once per 
> boot.

Most distributions hack around this limitation by including the 
unencrypted LUKS key in the initrd on the encrypted volume itself. 
Guix doesn't currently have any code to do the same.

This has been a problem for years but, by sheer coincidence, Jakub 
Kądziołka (CC'd) mentioned that this was on their to-do list for 
next week.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 152 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.