Bug 443426 - Have to enter password multiple times on boot
Have to enter password multiple times on boot
Product: Fedora
Classification: Fedora
Component: mkinitrd (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Peter Jones
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-21 10:22 EDT by Martin Ebourne
Modified: 2009-05-05 17:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-05 17:54:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
fedora: fedora_requires_release_note+

Attachments (Terms of Use)

  None (edit)
Description Martin Ebourne 2008-04-21 10:22:33 EDT
Description of problem:
Using new install to encrypted partitions (fantastic feature, install works
great) I now have to enter the same password several times when I boot the machine.

Version-Release number of selected component (if applicable):
F9 preview release fully updated to rawhide on 20th April 2008. (Sorry not at
machine so don't have version numbers).

How reproducible:
Every time.

Steps to Reproduce:
1. Install F9 selecting encryption support on root, swap, and home partitions.
2. Boot computer
Actual results:
Have to enter the password 3 times.

Expected results:
Should only need to enter the password once.

Additional info:
For home and swap I added a new password slot using cryptsetup, and then put the
 new passwords in files configured via /etc/crypttab. This has removed one
password entry (home).

Still I am asked for the swap password because the initrd unlocks it to look for
hibernate resume. For now I've removed this since I don't use hibernate, so now
I'm down to one password as expected. Maybe cryptsetup could be extended to have
a luksOpenMultiple action which would prompt for only as many passwords as
required to open a given list of volumes. Then initrd could open all of them in
one go.

This creates a very bad user experience for someone installing a new system,
it's very easy to encrypt it now but people won't expect to have to enter the
same password repeatedly.

Also could do with some decent documentation linked from the release notes, I
had to read through bug reports to figure out crypttab etc.

Haven't tried encrypted-PV. Is this supported? Would it only require one
password? If so maybe recommend that in the release notes?
Comment 1 Jeremy Katz 2008-04-21 19:31:30 EDT
Encrypted PV is supported and would be recommended (it's what the 'Encrypt
System' checkbox ends up giving you).  Doing something to handle unlocking
multiple crypted partitions with the same passwords is on the todo list for the
Comment 2 Martin Ebourne 2008-04-28 19:41:30 EDT
I've converted my laptop to encrypted PV and now I only need one password and
everything works great. At the moment this is a much better solution.

Added release notes tag because I think it's worth pointing out that for single
password sign-on you'll need encrypted PV rather than encrypted LVs. I
appreciate that 'encrypt system' does that but that is skipped if you decide to
choose your own partitioning layout as I did.
Comment 3 Bug Zapper 2008-05-14 05:51:45 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 4 Jeremy Katz 2009-05-05 17:54:53 EDT
With Fedora 10, we also default to using a single passphrase as a 'global passphrase' and plymouth tries to use the first entered passphrase for all devices.

Note You need to log in before you can comment on or make changes to this bug.