Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Encryption of each custom mount point

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Encryption of each custom mount point

#1 Post by Gen3x »

Hello,

I installed Debian 11.3.0 amd64, the custom locations for the mount points didn't change, it's about /home, /boot etc.

I managed to create all of them manually through LVM, then encrypted one by one, so I had to repeat the password 9*2=18 times, + 2 other for a mistake :lol: :mrgreen:
I already knew that it would have happened the same during the boot process, but surprisingly, it happened only for 2 of them (/root and /usr), then the system started as usual.
In case you wonder, all the others are properly mounted and decrypted automatically.

Questions:
1. Why it happens for only 2 of them?
2. Why it doesn't happen only one time to unblock all of them? That's what I would expect.
I can report this bug if you confirm the same.


------
Prior to this, I managed to fix GRUB bootloader during the installation from USB (it didn't find the files), loaded it up with the vmlinuz etc, what a day.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Encryption of each custom mount point

#2 Post by p.H »

Gen3x wrote: 2022-05-12 14:28 I managed to create all of them manually through LVM, then encrypted one by one
Why didn't you encrypt the LVM physical volume(s) instead of the LVM logical volumes ?
Why did you separate /usr ?
Gen3x wrote: 2022-05-12 14:28 it happened only for 2 of them (/root and /usr)
I guess you mean / and /usr ?
/root (root's home directory) should not be a separate filesystem, so that it is available even when /home fails to mount.
Gen3x wrote: 2022-05-12 14:28 1. Why it happens for only 2 of them?
/ and /usr are mounted by the initramfs. Other filesystems are mounted by init (systemd).
If plymouth is installed, it captures the passphrases typed during the initramfs stage and hands them to systemd password management. Systemd tries known passphrases before prompting the user when unlocking encrypted volumes.
Gen3x wrote: 2022-05-12 14:28 2. Why it doesn't happen only one time to unblock all of them?
Because the initramfs does not try known passphrases.

Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Re: Encryption of each custom mount point

#3 Post by Gen3x »

p.H wrote: 2022-05-17 15:28
Gen3x wrote: 2022-05-12 14:28 I managed to create all of them manually through LVM, then encrypted one by one
Why didn't you encrypt the LVM physical volume(s) instead of the LVM logical volumes ?
Why did you separate /usr ?
Gen3x wrote: 2022-05-12 14:28 it happened only for 2 of them (/root and /usr)
I guess you mean / and /usr ?
/root (root's home directory) should not be a separate filesystem, so that it is available even when /home fails to mount.
Gen3x wrote: 2022-05-12 14:28 1. Why it happens for only 2 of them?
/ and /usr are mounted by the initramfs. Other filesystems are mounted by init (systemd).
If plymouth is installed, it captures the passphrases typed during the initramfs stage and hands them to systemd password management. Systemd tries known passphrases before prompting the user when unlocking encrypted volumes.
Gen3x wrote: 2022-05-12 14:28 2. Why it doesn't happen only one time to unblock all of them?
Because the initramfs does not try known passphrases.
Thanks for the answer.

Yes, I meant "/", not "/root".

I didn't know it was possible to encrypt the whole logical volume in the beginning, but it didn't seem right, I tried and it asked to format it again later... I'll try once more. Plus, I don't think you can touch an encrypted volume, the encryption is the last thing you can set.

Based on your last sentence, I assume that 2 attempts for "/" and "/usr" would be still necessary.
[/quote]
Because the initramfs does not try known passphrases.
[/quote]

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Encryption of each custom mount point

#4 Post by p.H »

Gen3x wrote: 2022-05-20 20:13 don't think you can touch an encrypted volume
You cannot modify the partition used as a physical volume for encryption. But you can use the resulting encrypted volume for whatever you like (filesystem, LVM physical volume, swap...).

Use partition as physical volume for encryption with passphrase.
Manage encrypted volumes and select the partition. It will create an encrypted volume /dev/mapper/something_crypt.
Use the encrypted volume as physical volume for LVM.
Manage LVM and create a volume group and logical volumes for /, /usr, swap, /home... Leave free space for future needs.
Gen3x wrote: 2022-05-20 20:13 I assume that 2 attempts for "/" and "/usr" would be still necessary.
Not if they are LVM logical volumes within the same single encrypted physical volume.

PS : Why do you want a separate /usr ? Mount read only ?

Post Reply