Red Hat Bugzilla – Bug 1010458
encrypted swap using luks prompts for passphrase at boot
Last modified: 2013-10-29 10:02:21 EDT
Description of problem:
After a fresh installation of Fedora 19 which selected encrypted swap (but no other encrypted disk) at every boot I am prompted for the passphrase for the swap on LUKS.
That's a reasonable thing to happen for encrypted filesystems but swap should be treated differently as you want that data destroyed at every shutdown and remade from scratch at every boot. For swap generate a new random key at every boot. Don't prompt for a passphrase in relation to swap. If swap is the only volume encrypted then don't prompt for a passphrase at all.
OpenBSD has had encrypted swap such as I describe for many years.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install f19 from ISO image on USB.
2. Select encryped swap with a tickbox during disk partitioning and mounting.
3. Observe passphrase prompt at every subsequent boot.
Prompted for passphrase applicable to only the swap partition.
Allow unattended boot with new random key each time.
What is your /etc/crypttab?
Note that the "swap" crypttab option needs to be used for your swap crypt partition so that a random key is used and the image initialized with mkswap.
Did you create the encrypted partition "manually" in the installer? If not there's probably something to fix in the installer to add the "swap" option to the entry.
I have reproduced this today.
Disk was partitioned by "standard partition".
DID NOT tick the "Encrypt my data. I'll set a passphrase later" box.
Made partitions /boot (Reformat), /(Reformat), swap(Encrypt,Reformat).
prompted for disk passphrase
At boot I am prompted for the disk passphrase.
(In reply to bugz from comment #2)
> prompted for disk passphrase
> completed install
> At boot I am prompted for the disk passphrase.
so, I guess /etc/crypttab does not have /dev/urandom as the key file and swap as the option.
Reassigning to anaconda, which does the initial setup.
anaconda does not set up encrypted swap in this way. The "encrypt" option in partitioning sets up encrypted partitions that are unlocked at boot. To use encrypted swap in the way you describe you will need to create a /etc/crypttab configuration after installation (or in a %post section of a kickstart) as described in comment 1.