Bug 1010458

Summary: encrypted swap using luks prompts for passphrase at boot
Product: [Fedora] Fedora Reporter: bugz
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: anaconda-maint-list, bugz, dennis, dshea, g.kaviyarasu, harald, johannbg, jonathan, lnykryn, msekleta, plautrba, systemd-maint, vanmeeuwen+fedora, vpavlin, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-29 14:02:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description bugz 2013-09-20 19:50:43 UTC 
Description of problem:
After a fresh installation of Fedora 19 which selected encrypted swap (but no other encrypted disk) at every boot I am prompted for the passphrase for the swap on LUKS.

That's a reasonable thing to happen for encrypted filesystems but swap should be treated differently as you want that data destroyed at every shutdown and remade from scratch at every boot.   For swap generate a new random key at every boot.   Don't prompt for a passphrase in relation to swap.  If swap is the only volume encrypted then don't prompt for a passphrase at all.

OpenBSD has had encrypted swap such as I describe for many years.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Install f19 from ISO image on USB.
2.  Select encryped swap with a tickbox during disk partitioning and mounting.
3.  Observe passphrase prompt at every subsequent boot.

Actual results:
Prompted for passphrase applicable to only the swap partition.

Expected results:
Allow unattended boot with new random key each time.

Additional info:
Comment 1 Lennart Poettering 2013-09-29 18:20:43 UTC 
What is your /etc/crypttab?

Note that the "swap" crypttab option needs to be used for your swap crypt partition so that a random key is used and the image initialized with mkswap.

Did you create the encrypted partition "manually" in the installer? If not there's probably something to fix in the installer to add the "swap" option to the entry.
Comment 2 bugz 2013-10-09 11:59:57 UTC 
I have reproduced this today.

Disk was partitioned by "standard partition".
DID NOT tick the "Encrypt my data.  I'll set a passphrase later" box.

Made partitions /boot (Reformat), /(Reformat), swap(Encrypt,Reformat).
prompted for disk passphrase
completed install

At boot I am prompted for the disk passphrase.
Comment 3 Harald Hoyer 2013-10-29 12:13:56 UTC 
(In reply to bugz from comment #2)
> prompted for disk passphrase
> completed install
> 
> At boot I am prompted for the disk passphrase.

so, I guess /etc/crypttab does not have /dev/urandom as the key file and swap as the option.

Reassigning to anaconda, which does the initial setup.
Comment 4 David Shea 2013-10-29 14:02:21 UTC 
anaconda does not set up encrypted swap in this way. The "encrypt" option in partitioning sets up encrypted partitions that are unlocked at boot. To use encrypted swap in the way you describe you will need to create a /etc/crypttab configuration after installation (or in a %post section of a kickstart) as described in comment 1.