LUKS password prompt is now per disk

I’ve just upgraded to 4-0-8. On CentOS there was a single LUKS password prompt during boot. Now on SUSE, it prompts per disk. I only have two encrypted disks, but I expect this:
image
would become a dealbreaking annoyance if you have say, a five-disk RAID.

I expect pretty much all use-cases are like ours in having the same password for all disks. This is assumed in Ubuntu too:

decrypt_keyctl script provides the same password to multiple encrypted LUKS targets, saving you from typing it multiple times

decrypt_keyctl is part of the cryptsetup package. Cryptsetup is also installed in Leap & CentOS, although without decrypt_keyctl.

  1. We imported our disks from our old CentOS install. Does this multiple-password prompting also happen when you luks-encrypt during Rockstor install?
  2. Has anyone figured how to configure cryptsetup for single-password decryption in openSUSE? I’d be interested to know the contents of /etc/crypttab if someone out there has luks-encrypted disks in Centos. Seems CentOS defaults just work without further config. So it must be using some way of avoiding duplicate passwords that does not involve decrypt_keyctl. In Ubuntu, you just type keyscript=decrypt_keyctl for each disk in crypttab.

BTW, I need theft-protection, so storing a keyfile on the OS disk is not an option. Also you lose access to all data if OS disk becomes corrupted. IMO keyfile is not a sensible default LUKS option in Rockstor, but this is another topic.

@grizzly Hello again, and thanks for the report.

Agreed.

Re:

Yes, that the assumption/recommendation in Rockstor also.

I’ll try and have a look at this soon, it’s been a while since I added the LUKS stuff, and yes, my findings were that in the Rockstor v3 (CentOS based) it would only ask for the passphrase once and try and use it for all subsequent drives. Only asking again if it failed. That’s why I suggested in the Web-UI that the same passphase be used for all Pool members: to avoid the problem you are now having of multiple, potentially impractical, password entries.

Only if you also forget the passphrase you entered during initial LUKS setup within the Rockstor Web-UI. And that’s the case with LUKS always. Hence the prompt that it’s particularly important. The keyfile is generated from the passphase, it’s a stand in of sorts. The passphase is still in play and can still unlock the data pool drives if the system drive is lost.

Yes, in that case you have to have by-hand passphase entry on boot. I choose keyfile as the recommended default within the Web-UI as a compromise between ease of sue and security. Any suggestions for changes to the Web-UI text in the area might be useful.

Thanks again for reporting your findings here. We are definitely thin-on-the-ground with v4 “Built on openSUSE” LUKS testing and in particular pool import from v3 findings. However we do nothing strange re LUKS so nothing seriously odd is expected. The Web-UI simply creates /etc/crypttab and we should have a technical doc / wiki entry on this. The Pull Request where full disk LUKS encryption was added was the following:

Which contains full details of what was done. And we have the basic user doc:
https://rockstor.com/docs/howtos/luks.html

Hope that helps, and yes we need some technical docs on exactly how Rockstor creates it’s /etc/crypttab; I propose we pop this in as a new kiwi forum entry myself. But the info in the pr should help on that front if anyone fancies stepping up to this.

2 Likes