443426 – Have to enter password multiple times on boot

Bug 443426 - Have to enter password multiple times on boot

Summary: Have to enter password multiple times on boot

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mkinitrd
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-04-21 14:22 UTC by Martin Ebourne
Modified:	2009-05-05 21:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-05-05 21:54:53 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	fedora: fedora_requires_release_note+

Attachments	(Terms of Use)

Description Martin Ebourne 2008-04-21 14:22:33 UTC

Description of problem:
Using new install to encrypted partitions (fantastic feature, install works
great) I now have to enter the same password several times when I boot the machine.

Version-Release number of selected component (if applicable):
F9 preview release fully updated to rawhide on 20th April 2008. (Sorry not at
machine so don't have version numbers).

How reproducible:
Every time.

Steps to Reproduce:
1. Install F9 selecting encryption support on root, swap, and home partitions.
2. Boot computer
  
Actual results:
Have to enter the password 3 times.

Expected results:
Should only need to enter the password once.

Additional info:
For home and swap I added a new password slot using cryptsetup, and then put the
 new passwords in files configured via /etc/crypttab. This has removed one
password entry (home).

Still I am asked for the swap password because the initrd unlocks it to look for
hibernate resume. For now I've removed this since I don't use hibernate, so now
I'm down to one password as expected. Maybe cryptsetup could be extended to have
a luksOpenMultiple action which would prompt for only as many passwords as
required to open a given list of volumes. Then initrd could open all of them in
one go.


Comments:
This creates a very bad user experience for someone installing a new system,
it's very easy to encrypt it now but people won't expect to have to enter the
same password repeatedly.

Also could do with some decent documentation linked from the release notes, I
had to read through bug reports to figure out crypttab etc.

Haven't tried encrypted-PV. Is this supported? Would it only require one
password? If so maybe recommend that in the release notes?

Comment 1 Jeremy Katz 2008-04-21 23:31:30 UTC

Encrypted PV is supported and would be recommended (it's what the 'Encrypt
System' checkbox ends up giving you).  Doing something to handle unlocking
multiple crypted partitions with the same passwords is on the todo list for the
future

Comment 2 Martin Ebourne 2008-04-28 23:41:30 UTC

I've converted my laptop to encrypted PV and now I only need one password and
everything works great. At the moment this is a much better solution.

Added release notes tag because I think it's worth pointing out that for single
password sign-on you'll need encrypted PV rather than encrypted LVs. I
appreciate that 'encrypt system' does that but that is skipped if you decide to
choose your own partitioning layout as I did.

Comment 3 Bug Zapper 2008-05-14 09:51:45 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Jeremy Katz 2009-05-05 21:54:53 UTC

With Fedora 10, we also default to using a single passphrase as a 'global passphrase' and plymouth tries to use the first entered passphrase for all devices.

Note You need to log in before you can comment on or make changes to this bug.