1010458 – encrypted swap using luks prompts for passphrase at boot

Bug 1010458 - encrypted swap using luks prompts for passphrase at boot

Summary: encrypted swap using luks prompts for passphrase at boot

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Anaconda Maintenance Team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-20 19:50 UTC by bugz
Modified:	2013-10-29 14:02 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-29 14:02:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description bugz 2013-09-20 19:50:43 UTC

Description of problem:
After a fresh installation of Fedora 19 which selected encrypted swap (but no other encrypted disk) at every boot I am prompted for the passphrase for the swap on LUKS.

That's a reasonable thing to happen for encrypted filesystems but swap should be treated differently as you want that data destroyed at every shutdown and remade from scratch at every boot.   For swap generate a new random key at every boot.   Don't prompt for a passphrase in relation to swap.  If swap is the only volume encrypted then don't prompt for a passphrase at all.

OpenBSD has had encrypted swap such as I describe for many years.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Install f19 from ISO image on USB.
2.  Select encryped swap with a tickbox during disk partitioning and mounting.
3.  Observe passphrase prompt at every subsequent boot.

Actual results:
Prompted for passphrase applicable to only the swap partition.

Expected results:
Allow unattended boot with new random key each time.

Additional info:

Comment 1 Lennart Poettering 2013-09-29 18:20:43 UTC

What is your /etc/crypttab?

Note that the "swap" crypttab option needs to be used for your swap crypt partition so that a random key is used and the image initialized with mkswap.

Did you create the encrypted partition "manually" in the installer? If not there's probably something to fix in the installer to add the "swap" option to the entry.

Comment 2 bugz 2013-10-09 11:59:57 UTC

I have reproduced this today.

Disk was partitioned by "standard partition".
DID NOT tick the "Encrypt my data.  I'll set a passphrase later" box.

Made partitions /boot (Reformat), /(Reformat), swap(Encrypt,Reformat).
prompted for disk passphrase
completed install

At boot I am prompted for the disk passphrase.

Comment 3 Harald Hoyer 2013-10-29 12:13:56 UTC

(In reply to bugz from comment #2)
> prompted for disk passphrase
> completed install
> 
> At boot I am prompted for the disk passphrase.

so, I guess /etc/crypttab does not have /dev/urandom as the key file and swap as the option.

Reassigning to anaconda, which does the initial setup.

Comment 4 David Shea 2013-10-29 14:02:21 UTC

anaconda does not set up encrypted swap in this way. The "encrypt" option in partitioning sets up encrypted partitions that are unlocked at boot. To use encrypted swap in the way you describe you will need to create a /etc/crypttab configuration after installation (or in a %post section of a kickstart) as described in comment 1.

Note You need to log in before you can comment on or make changes to this bug.