Bug 1010458 - encrypted swap using luks prompts for passphrase at boot
encrypted swap using luks prompts for passphrase at boot
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-09-20 15:50 EDT by bugz
Modified: 2013-10-29 10:02 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-29 10:02:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description bugz 2013-09-20 15:50:43 EDT
Description of problem:
After a fresh installation of Fedora 19 which selected encrypted swap (but no other encrypted disk) at every boot I am prompted for the passphrase for the swap on LUKS.

That's a reasonable thing to happen for encrypted filesystems but swap should be treated differently as you want that data destroyed at every shutdown and remade from scratch at every boot.   For swap generate a new random key at every boot.   Don't prompt for a passphrase in relation to swap.  If swap is the only volume encrypted then don't prompt for a passphrase at all.

OpenBSD has had encrypted swap such as I describe for many years.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Install f19 from ISO image on USB.
2.  Select encryped swap with a tickbox during disk partitioning and mounting.
3.  Observe passphrase prompt at every subsequent boot.

Actual results:
Prompted for passphrase applicable to only the swap partition.

Expected results:
Allow unattended boot with new random key each time.

Additional info:
Comment 1 Lennart Poettering 2013-09-29 14:20:43 EDT
What is your /etc/crypttab?

Note that the "swap" crypttab option needs to be used for your swap crypt partition so that a random key is used and the image initialized with mkswap.

Did you create the encrypted partition "manually" in the installer? If not there's probably something to fix in the installer to add the "swap" option to the entry.
Comment 2 bugz 2013-10-09 07:59:57 EDT
I have reproduced this today.

Disk was partitioned by "standard partition".
DID NOT tick the "Encrypt my data.  I'll set a passphrase later" box.

Made partitions /boot (Reformat), /(Reformat), swap(Encrypt,Reformat).
prompted for disk passphrase
completed install

At boot I am prompted for the disk passphrase.
Comment 3 Harald Hoyer 2013-10-29 08:13:56 EDT
(In reply to bugz from comment #2)
> prompted for disk passphrase
> completed install
> At boot I am prompted for the disk passphrase.

so, I guess /etc/crypttab does not have /dev/urandom as the key file and swap as the option.

Reassigning to anaconda, which does the initial setup.
Comment 4 David Shea 2013-10-29 10:02:21 EDT
anaconda does not set up encrypted swap in this way. The "encrypt" option in partitioning sets up encrypted partitions that are unlocked at boot. To use encrypted swap in the way you describe you will need to create a /etc/crypttab configuration after installation (or in a %post section of a kickstart) as described in comment 1.

Note You need to log in before you can comment on or make changes to this bug.