Bugzilla – Bug 1180070
Make bootloader automatically pass encryption key to kernel during boot
Last modified: 2023-11-15 13:58:35 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Build Identifier: It would be very nice if the bootloader could be configured to automatically pass the disk encryption key to the kernel while booting. This would prevent the user from having to enter the same encryption password twice. Reproducible: Always Steps to Reproduce: 1. Configure YaST to encrypt the system. 2. Boot into the system. Actual Results: Encryption key is required to be entered twice (once for GRUB, once for the main partition) This is a continuation of bug 1179293, taking into account the advice received by a maintainer in the comments.
If you pass the key on the kernel command line, then it becomes part of "/proc/cmdline" where it is visible to all users. I think you would need to invent a new way of passing it, and that probably requires changes to the kernel and the bootloader.
*BSD (or a derivate) is able to do this. And yes, this needs an interface between bootloader and kernel, which does not exist today. No idea how they solved it, but commandline options are not the way to go.
We already have a feature request in Jira for this [1], but it was rejected. Maybe we should raise this topic up again, probably by involving the whole openSUSE community. [1] https://jira.suse.com/browse/SLE-2941
The workaround is to add key file(s) to initrd. https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice
(In reply to Michael Chang from comment #4) > The workaround is to add key file(s) to initrd. > > https://en.opensuse.org/SDB: > Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice Indeed I have seen that, but I'm sure that many desktop users, especially those with limited knowledge regarding the inner workings of the system (such as myself) would be hesitant to do this. Maybe configuring YaST to set this up for the user (during installation or post-install in YaST 2) would be a good idea?
(In reply to José Iván López González from comment #3) > We already have a feature request in Jira for this [1], but it was rejected. > Maybe we should raise this topic up again, probably by involving the whole > openSUSE community. > > [1] https://jira.suse.com/browse/SLE-2941 That sounds like an excellent idea.
(In reply to Neil Rickert from comment #1) > I think you would need to invent a new way of passing it, and that probably >requires changes to the kernel and the bootloader. Would that be feasible? That sounds like a lot of work, and I assume this feature request probably isn't very high on the priority list.
I think all insecure (passing key via kernel command line) or naive implementations (saving key in initrd) were rejected already. How about implementing a way for grub to initialize the kernel keyrings(7) for later use of that cache by systemd-ask-password? There is work to preserve data across kexec. Doing this for from grub to an in-kernel structure could expand upon this: 2013 PRAM: https://lwn.net/Articles/557046/ 2020 PKRAM: https://lore.kernel.org/lkml/1588812129-8596-1-git-send-email-anthony.yznaga@oracle.com/
Bulk-re-assigning to the new bootloader-maintainers@suse.de group.