GNU bug report logs - #38924
Encrypted root volume requires passphrase twice on boot

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Severity: wishlist; Reported by: Matthew Leach <matthew@HIDDEN>; Owned by: Jakub Kądziołka <kuba@HIDDEN>; merged with #32054; dated Sat, 4 Jan 2020 19:28:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Owner recorded as Jakub Kądziołka <kuba@HIDDEN>. Request was from Jakub Kądziołka <kuba@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Merged 32054 38924. Request was from Tobias Geerinckx-Rice <me@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Severity set to 'wishlist' from 'normal' Request was from Tobias Geerinckx-Rice <me@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 38924 <at> debbugs.gnu.org:


Received: (at 38924) by debbugs.gnu.org; 4 Jan 2020 19:56:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 04 14:56:49 2020
Received: from localhost ([127.0.0.1]:43419 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1inpXV-0003uc-F9
	for submit <at> debbugs.gnu.org; Sat, 04 Jan 2020 14:56:49 -0500
Received: from tobias.gr ([80.241.217.52]:37916)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1inpXT-0003uR-B9
 for 38924 <at> debbugs.gnu.org; Sat, 04 Jan 2020 14:56:48 -0500
Received: by tobias.gr (OpenSMTPD) with ESMTP id 115d7668;
 Sat, 4 Jan 2020 19:56:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:cc
 :subject:references:in-reply-to:date:message-id:mime-version
 :content-type; s=2018; i=me@HIDDEN; bh=OHPr46pc88MzGTHarT+aVE
 DyQ6f6wFU2GDJuXu1GGTg=; b=GPJt4pyFYuWLsZPbrRF5nmjyBDlldkzIeMaOLT
 BoX+2NMSNfjLMe2vOcCCk9/d/mYt90nF8iRu7F3+rqApZ9A0F6Piw5uav9KpdfVN
 sEut01+59N7tMoz0G7MALgFsxMH69xgT/NQXUVJ6Pci9SkqzwYG/TNeGfdAdtKVf
 thFgOhwN0WFY970CAh1pUgMJhJpCxSvDZ4EW0Uu5FFDD8M0JqWL6a0deGXQw3gPo
 zbJAyXHqaKnFVClTJCgbDmqyB3AD2ECHPuVqKItPfjv5H4vVSAXsgeX7VsFWBADN
 rFjvQffi3m4rIZ7cpSbcQPiy4Js1pDz1w2nS4Vjpjsq2Q5Dw==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 901d9d8a
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Sat, 4 Jan 2020 19:56:45 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@HIDDEN>
Subject: Re: bug#38924: Encrypted root volume requires passphrase twice on boot
References: <87pnfznhsw.fsf@HIDDEN>
In-reply-to: <87pnfznhsw.fsf@HIDDEN>
Date: Sat, 04 Jan 2020 20:56:44 +0100
Message-ID: <87woa73shv.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: 38924
Cc: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= <kuba@HIDDEN>,
 38924 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Matthew,

Matthew Leach =E5=86=99=E9=81=93=EF=BC=9A
> I've setup guix on two machines each one of them with an=20
> encrypted root
> partition. However, on boot I'm prompted for my passphrase=20
> twice, once
> before the grub menu is shown and second after Linux has started=20
> and
> launched guile as init.

Unfortunately, this is expected.

GRUB needs to decrypt the volume to load the Linux-Libre kernel=20
and initrd, and there's no agreed-upon secure way for GRUB to pass=20
the passphrase or key to the kernel/initrd.  So you're prompted=20
for it again when the volume is actually mounted by the kernel.

> I would expect to have to only enter my passphrase once per=20
> boot.

Most distributions hack around this limitation by including the=20
unencrypted LUKS key in the initrd on the encrypted volume itself.=20
Guix doesn't currently have any code to do the same.

This has been a problem for years but, by sheer coincidence, Jakub=20
K=C4=85dzio=C5=82ka (CC'd) mentioned that this was on their to-do list for=
=20
next week.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7fwACgkQ2Imw8BjF
STzz1BAAmRKTo4BglQMeIPAO3CPGC3QI12JVHztTubwJk2GgmRR2uTAXiGPG+Dxu
mmC/vabmqthHJBxT8hcHo6FqA3cX0zeEj4Y9c6R1JOQkawGY2ccceVXL7hkdVPN7
PXDUDjxk10oTSMU4Fb5TTM1Bu73otx10qy5nwj3KemSgVbHGxA1cGg+qlqG7N+9s
tikpUZPx35Yforitle2OuoX7LVxmQ5xhrk3e/DnoWgqeS/h803Brmqppkbxxj3dC
XBkJuXfMdj5cYleYqKWcluE2n0DFDNZTqwLNM0RrV1dea+lI8BY6oYjO+iWEUKnq
H+ycZ1tr/FgymPDhJkEA1SUmeWSGb+yjiBbsrtRFAElztqxNQ/SbSe92+ZfXIp+Q
tjqAJ+qlJDdx7ZtIfoSmsI0RuMw8fmy8ReKWrEKuCbuhNIFc82BCmhQYZCU/Emdg
VOI/6U1DglFMQgD8DPF3Y64xz7LwJf1SEfwovSNxAqT0yYbs9HHCFpm/UHheiu8/
xnHfjfYGqC0zG5XkAd4oP5OAt/G2x/CU6kB6BhWBwuXULSxSZZQfgHl3sZzKgbKv
Vvbd7G98atH0o/UlqKA8LEUFso1wZrkEWiaMGD+I5rQGKVBh8lRo8MZ+SPW9TJVG
tEsFRR57Zmb8CbDnaaKo063aktmfG8Ms/a0a55U5UhR4kFHjq+Y=
=hlQl
-----END PGP SIGNATURE-----
--=-=-=--
Information forwarded to bug-guix@HIDDEN:
bug#38924; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 4 Jan 2020 19:27:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 04 14:27:35 2020
Received: from localhost ([127.0.0.1]:43394 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1inp5D-00036P-16
	for submit <at> debbugs.gnu.org; Sat, 04 Jan 2020 14:27:35 -0500
Received: from lists.gnu.org ([209.51.188.17]:34157)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <matthew@HIDDEN>) id 1inp5A-00036H-PU
 for submit <at> debbugs.gnu.org; Sat, 04 Jan 2020 14:27:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39091)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <matthew@HIDDEN>) id 1inp59-0006p0-IX
 for bug-guix@HIDDEN; Sat, 04 Jan 2020 14:27:32 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <matthew@HIDDEN>) id 1inp58-0006Lo-Ih
 for bug-guix@HIDDEN; Sat, 04 Jan 2020 14:27:31 -0500
Received: from mx0.mattleach.net ([176.58.118.143]:56992)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <matthew@HIDDEN>) id 1inp58-0006JH-Ci
 for bug-guix@HIDDEN; Sat, 04 Jan 2020 14:27:30 -0500
Received: by mx0.mattleach.net (Postfix, from userid 99)
 id 6600A61C91; Sat,  4 Jan 2020 19:27:29 +0000 (GMT)
Received: from troi.mattleach.net (92.40.248.146.threembb.co.uk
 [92.40.248.146])
 by mx0.mattleach.net (Postfix) with ESMTPSA id A8C8061C21
 for <bug-guix@HIDDEN>; Sat,  4 Jan 2020 19:27:28 +0000 (GMT)
From: Matthew Leach <matthew@HIDDEN>
To: bug-guix@HIDDEN 
Subject: Encrypted root volume requires passphrase twice on boot
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
Date: Sat, 04 Jan 2020 19:27:27 +0000
Message-ID: <87pnfznhsw.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 176.58.118.143
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Hi Guix!

I've setup guix on two machines each one of them with an encrypted root
partition. However, on boot I'm prompted for my passphrase twice, once
before the grub menu is shown and second after Linux has started and
launched guile as init.

I would expect to have to only enter my passphrase once per boot.

Regards,
-- 
Matt
Acknowledgement sent to Matthew Leach <matthew@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#38924; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 14 Jan 2020 00:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.