Red Hat Bugzilla – Bug 443426
Have to enter password multiple times on boot
Last modified: 2009-05-05 17:54:53 EDT
Description of problem:
Using new install to encrypted partitions (fantastic feature, install works
great) I now have to enter the same password several times when I boot the machine.
Version-Release number of selected component (if applicable):
F9 preview release fully updated to rawhide on 20th April 2008. (Sorry not at
machine so don't have version numbers).
Steps to Reproduce:
1. Install F9 selecting encryption support on root, swap, and home partitions.
2. Boot computer
Have to enter the password 3 times.
Should only need to enter the password once.
For home and swap I added a new password slot using cryptsetup, and then put the
new passwords in files configured via /etc/crypttab. This has removed one
password entry (home).
Still I am asked for the swap password because the initrd unlocks it to look for
hibernate resume. For now I've removed this since I don't use hibernate, so now
I'm down to one password as expected. Maybe cryptsetup could be extended to have
a luksOpenMultiple action which would prompt for only as many passwords as
required to open a given list of volumes. Then initrd could open all of them in
This creates a very bad user experience for someone installing a new system,
it's very easy to encrypt it now but people won't expect to have to enter the
same password repeatedly.
Also could do with some decent documentation linked from the release notes, I
had to read through bug reports to figure out crypttab etc.
Haven't tried encrypted-PV. Is this supported? Would it only require one
password? If so maybe recommend that in the release notes?
Encrypted PV is supported and would be recommended (it's what the 'Encrypt
System' checkbox ends up giving you). Doing something to handle unlocking
multiple crypted partitions with the same passwords is on the todo list for the
I've converted my laptop to encrypted PV and now I only need one password and
everything works great. At the moment this is a much better solution.
Added release notes tag because I think it's worth pointing out that for single
password sign-on you'll need encrypted PV rather than encrypted LVs. I
appreciate that 'encrypt system' does that but that is skipped if you decide to
choose your own partitioning layout as I did.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
With Fedora 10, we also default to using a single passphrase as a 'global passphrase' and plymouth tries to use the first entered passphrase for all devices.