archinstall
archinstall copied to clipboard
archlinux
/home not encrypted when it should be
The past few times I've installed with ArchInstall, I designated my /home partition to be encrypted, but the script doesn't appear to follow that instruction. My system boots completely as if I had not designated encryption at all. There's not one prompt for a password to decrypt the system; everything boots just fine but unencrypted. Here is my install log.
According to the logs the encryption was selected for /home and also setup correctly.
Can you share the output for lsblk -J -O from the installed system
Upon booting into the desktop, it appears that the /home partition is recognized as encrypted through the file explorer, but it is permanently unlocked, defeating the purpose of the encryption altogether. I rebooted countless times to see if a decryption prompt would ever show up on boot, but it doesn't; despite this, I can access the /home directory without any authentication.
Here's the output of lsblk -J -O:
{
"blockdevices": [
{
"alignment": 0,
"id-link": "wwn-0x5000c500aa9af812",
"id": "0x5000c500aa9af812",
"disc-aln": 0,
"dax": false,
"disc-gran": "4K",
"disk-seq": 1,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": null,
"fsused": null,
"fsuse%": null,
"fsver": null,
"group": "disk",
"hctl": "0:0:0:0",
"hotplug": false,
"kname": "sda",
"label": null,
"log-sec": 512,
"maj:min": "8:0",
"maj": "8",
"min": "0",
"min-io": 4096,
"mode": "brw-rw----",
"model": "ST2000LM007-1R8174",
"mq": " 1",
"name": "sda",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": null,
"parttype": null,
"parttypename": null,
"partuuid": null,
"path": "/dev/sda",
"phy-sec": 4096,
"pkname": null,
"pttype": "gpt",
"ptuuid": "273c1279-e312-4b61-9e34-ef41d8e01d4f",
"ra": 128,
"rand": true,
"rev": "SDM2",
"rm": false,
"ro": false,
"rota": true,
"rq-size": 64,
"sched": "mq-deadline",
"serial": "WDZ6S61R",
"size": "1.8T",
"start": null,
"state": "running",
"subsystems": "block:scsi:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": "sata",
"type": "disk",
"uuid": null,
"vendor": "ATA ",
"wsame": "0B",
"wwn": "0x5000c500aa9af812",
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0,
"children": [
{
"alignment": 0,
"id-link": "wwn-0x5000c500aa9af812-part1",
"id": "0x5000c500aa9af812-part1",
"disc-aln": 0,
"dax": false,
"disc-gran": "4K",
"disk-seq": 1,
"disc-max": "0B",
"disc-zero": false,
"fsavail": "866.4M",
"fsroots": [
"/"
],
"fssize": "1022M",
"fstype": "vfat",
"fsused": "155.6M",
"fsuse%": "15%",
"fsver": "FAT32",
"group": "disk",
"hctl": null,
"hotplug": false,
"kname": "sda1",
"label": null,
"log-sec": 512,
"maj:min": "8:1",
"maj": "8",
"min": "1",
"min-io": 4096,
"mode": "brw-rw----",
"model": null,
"mq": " 1",
"name": "sda1",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": 1,
"parttype": "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
"parttypename": "EFI System",
"partuuid": "43362379-24f2-40ff-b582-0994aded9683",
"path": "/dev/sda1",
"phy-sec": 4096,
"pkname": "sda",
"pttype": "gpt",
"ptuuid": "273c1279-e312-4b61-9e34-ef41d8e01d4f",
"ra": 128,
"rand": true,
"rev": null,
"rm": false,
"ro": false,
"rota": true,
"rq-size": 64,
"sched": "mq-deadline",
"serial": null,
"size": "1G",
"start": 2048,
"state": null,
"subsystems": "block:scsi:pci",
"mountpoint": "/boot",
"mountpoints": [
"/boot"
],
"tran": null,
"type": "part",
"uuid": "714C-79CE",
"vendor": null,
"wsame": "0B",
"wwn": "0x5000c500aa9af812",
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
},{
"alignment": 0,
"id-link": "wwn-0x5000c500aa9af812-part2",
"id": "0x5000c500aa9af812-part2",
"disc-aln": 0,
"dax": false,
"disc-gran": "4K",
"disk-seq": 1,
"disc-max": "0B",
"disc-zero": false,
"fsavail": "12.4G",
"fsroots": [
"/"
],
"fssize": "19.5G",
"fstype": "ext4",
"fsused": "6.1G",
"fsuse%": "31%",
"fsver": "1.0",
"group": "disk",
"hctl": null,
"hotplug": false,
"kname": "sda2",
"label": null,
"log-sec": 512,
"maj:min": "8:2",
"maj": "8",
"min": "2",
"min-io": 4096,
"mode": "brw-rw----",
"model": null,
"mq": " 1",
"name": "sda2",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": 2,
"parttype": "0fc63daf-8483-4772-8e79-3d69d8477de4",
"parttypename": "Linux filesystem",
"partuuid": "8d9feaa4-b76d-462a-8f3b-5a14d51652ed",
"path": "/dev/sda2",
"phy-sec": 4096,
"pkname": "sda",
"pttype": "gpt",
"ptuuid": "273c1279-e312-4b61-9e34-ef41d8e01d4f",
"ra": 128,
"rand": true,
"rev": null,
"rm": false,
"ro": false,
"rota": true,
"rq-size": 64,
"sched": "mq-deadline",
"serial": null,
"size": "20G",
"start": 2099200,
"state": null,
"subsystems": "block:scsi:pci",
"mountpoint": "/",
"mountpoints": [
"/"
],
"tran": null,
"type": "part",
"uuid": "30425400-daff-44f1-ad41-6a818abec523",
"vendor": null,
"wsame": "0B",
"wwn": "0x5000c500aa9af812",
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
},{
"alignment": 0,
"id-link": "wwn-0x5000c500aa9af812-part3",
"id": "0x5000c500aa9af812-part3",
"disc-aln": 0,
"dax": false,
"disc-gran": "4K",
"disk-seq": 1,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": "crypto_LUKS",
"fsused": null,
"fsuse%": null,
"fsver": "2",
"group": "disk",
"hctl": null,
"hotplug": false,
"kname": "sda3",
"label": null,
"log-sec": 512,
"maj:min": "8:3",
"maj": "8",
"min": "3",
"min-io": 4096,
"mode": "brw-rw----",
"model": null,
"mq": " 1",
"name": "sda3",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": 3,
"parttype": "0fc63daf-8483-4772-8e79-3d69d8477de4",
"parttypename": "Linux filesystem",
"partuuid": "01af6c2b-462e-4045-85d2-e08fb31e5bd7",
"path": "/dev/sda3",
"phy-sec": 4096,
"pkname": "sda",
"pttype": "gpt",
"ptuuid": "273c1279-e312-4b61-9e34-ef41d8e01d4f",
"ra": 128,
"rand": true,
"rev": null,
"rm": false,
"ro": false,
"rota": true,
"rq-size": 64,
"sched": "mq-deadline",
"serial": null,
"size": "1.8T",
"start": 44042240,
"state": null,
"subsystems": "block:scsi:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": null,
"type": "part",
"uuid": "6dda5baf-ad14-42f9-93ab-3fe380150d9a",
"vendor": null,
"wsame": "0B",
"wwn": "0x5000c500aa9af812",
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0,
"children": [
{
"alignment": 0,
"id-link": "dm-name-ainstsda3",
"id": "name-ainstsda3",
"disc-aln": 0,
"dax": false,
"disc-gran": "0B",
"disk-seq": 6,
"disc-max": "0B",
"disc-zero": false,
"fsavail": "1.7T",
"fsroots": [
"/"
],
"fssize": "1.8T",
"fstype": "ext4",
"fsused": "46M",
"fsuse%": "0%",
"fsver": "1.0",
"group": "disk",
"hctl": null,
"hotplug": false,
"kname": "dm-0",
"label": null,
"log-sec": 4096,
"maj:min": "254:0",
"maj": "254",
"min": "0",
"min-io": 4096,
"mode": "brw-rw----",
"model": null,
"mq": "1",
"name": "ainstsda3",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": null,
"parttype": null,
"parttypename": null,
"partuuid": null,
"path": "/dev/mapper/ainstsda3",
"phy-sec": 4096,
"pkname": "sda3",
"pttype": null,
"ptuuid": null,
"ra": 128,
"rand": false,
"rev": null,
"rm": false,
"ro": false,
"rota": true,
"rq-size": null,
"sched": null,
"serial": null,
"size": "1.8T",
"start": null,
"state": "running",
"subsystems": "block",
"mountpoint": "/home",
"mountpoints": [
"/home"
],
"tran": null,
"type": "crypt",
"uuid": "181770cb-195f-4d50-9932-3f682bc5df4b",
"vendor": null,
"wsame": "0B",
"wwn": null,
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
}
]
}
]
},{
"alignment": 0,
"id-link": "usb-SanDisk_Cruzer_Dial_4C530001280509117173-0:0",
"id": "SanDisk_Cruzer_Dial_4C530001280509117173-0:0",
"disc-aln": 0,
"dax": false,
"disc-gran": "512B",
"disk-seq": 4,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": "iso9660",
"fsused": null,
"fsuse%": null,
"fsver": "Joliet Extension",
"group": "disk",
"hctl": "2:0:0:0",
"hotplug": true,
"kname": "sdb",
"label": "ARCH_202405",
"log-sec": 512,
"maj:min": "8:16",
"maj": "8",
"min": "16",
"min-io": 512,
"mode": "brw-rw----",
"model": "Cruzer Dial",
"mq": " 1",
"name": "sdb",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": null,
"parttype": null,
"parttypename": null,
"partuuid": null,
"path": "/dev/sdb",
"phy-sec": 512,
"pkname": null,
"pttype": "dos",
"ptuuid": "8da10534",
"ra": 128,
"rand": true,
"rev": "1.00",
"rm": true,
"ro": false,
"rota": true,
"rq-size": 2,
"sched": "mq-deadline",
"serial": "4C530001280509117173",
"size": "29.3G",
"start": null,
"state": "running",
"subsystems": "block:scsi:usb:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": "usb",
"type": "disk",
"uuid": "2024-05-01-17-04-31-00",
"vendor": "SanDisk ",
"wsame": "0B",
"wwn": null,
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0,
"children": [
{
"alignment": 0,
"id-link": "usb-SanDisk_Cruzer_Dial_4C530001280509117173-0:0-part1",
"id": "SanDisk_Cruzer_Dial_4C530001280509117173-0:0-part1",
"disc-aln": 0,
"dax": false,
"disc-gran": "512B",
"disk-seq": 4,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": "iso9660",
"fsused": null,
"fsuse%": null,
"fsver": "Joliet Extension",
"group": "disk",
"hctl": null,
"hotplug": true,
"kname": "sdb1",
"label": "ARCH_202405",
"log-sec": 512,
"maj:min": "8:17",
"maj": "8",
"min": "17",
"min-io": 512,
"mode": "brw-rw----",
"model": null,
"mq": " 1",
"name": "sdb1",
"opt-io": 0,
"owner": "root",
"partflags": "0x80",
"partlabel": null,
"partn": 1,
"parttype": "0x0",
"parttypename": "Empty",
"partuuid": "8da10534-01",
"path": "/dev/sdb1",
"phy-sec": 512,
"pkname": "sdb",
"pttype": "dos",
"ptuuid": "8da10534",
"ra": 128,
"rand": true,
"rev": null,
"rm": true,
"ro": false,
"rota": true,
"rq-size": 2,
"sched": "mq-deadline",
"serial": null,
"size": "934M",
"start": 64,
"state": null,
"subsystems": "block:scsi:usb:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": null,
"type": "part",
"uuid": "2024-05-01-17-04-31-00",
"vendor": null,
"wsame": "0B",
"wwn": null,
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
},{
"alignment": 0,
"id-link": "usb-SanDisk_Cruzer_Dial_4C530001280509117173-0:0-part2",
"id": "SanDisk_Cruzer_Dial_4C530001280509117173-0:0-part2",
"disc-aln": 0,
"dax": false,
"disc-gran": "512B",
"disk-seq": 4,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": "vfat",
"fsused": null,
"fsuse%": null,
"fsver": "FAT16",
"group": "disk",
"hctl": null,
"hotplug": true,
"kname": "sdb2",
"label": "ARCHISO_EFI",
"log-sec": 512,
"maj:min": "8:18",
"maj": "8",
"min": "18",
"min-io": 512,
"mode": "brw-rw----",
"model": null,
"mq": " 1",
"name": "sdb2",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": 2,
"parttype": "0xef",
"parttypename": "EFI (FAT-12/16/32)",
"partuuid": "8da10534-02",
"path": "/dev/sdb2",
"phy-sec": 512,
"pkname": "sdb",
"pttype": "dos",
"ptuuid": "8da10534",
"ra": 128,
"rand": true,
"rev": null,
"rm": true,
"ro": false,
"rota": true,
"rq-size": 2,
"sched": "mq-deadline",
"serial": null,
"size": "144M",
"start": 1912832,
"state": null,
"subsystems": "block:scsi:usb:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": null,
"type": "part",
"uuid": "6665-2677",
"vendor": null,
"wsame": "0B",
"wwn": null,
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
}
]
},{
"alignment": 0,
"id-link": "wwn-0x5001480000000000",
"id": "0x5001480000000000",
"disc-aln": 0,
"dax": false,
"disc-gran": "512B",
"disk-seq": 3,
"disc-max": "0B",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": null,
"fsused": null,
"fsuse%": null,
"fsver": null,
"group": "optical",
"hctl": "1:0:0:0",
"hotplug": false,
"kname": "sr0",
"label": null,
"log-sec": 512,
"maj:min": "11:0",
"maj": "11",
"min": "0",
"min-io": 512,
"mode": "brw-rw----",
"model": "HL-DT-ST DVD+/-RW GU90N",
"mq": " 1",
"name": "sr0",
"opt-io": 0,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": null,
"parttype": null,
"parttypename": null,
"partuuid": null,
"path": "/dev/sr0",
"phy-sec": 512,
"pkname": null,
"pttype": null,
"ptuuid": null,
"ra": 128,
"rand": false,
"rev": "A1C2",
"rm": true,
"ro": false,
"rota": true,
"rq-size": 64,
"sched": "mq-deadline",
"serial": "KZRH6R85226",
"size": "1024M",
"start": null,
"state": "running",
"subsystems": "block:scsi:pci",
"mountpoint": null,
"mountpoints": [
null
],
"tran": "sata",
"type": "rom",
"uuid": null,
"vendor": "HL-DT-ST",
"wsame": "0B",
"wwn": "0x5001480000000000",
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
},{
"alignment": 0,
"id-link": null,
"id": null,
"disc-aln": 0,
"dax": false,
"disc-gran": "4K",
"disk-seq": 5,
"disc-max": "2T",
"disc-zero": false,
"fsavail": null,
"fsroots": [
null
],
"fssize": null,
"fstype": null,
"fsused": null,
"fsuse%": null,
"fsver": null,
"group": "disk",
"hctl": null,
"hotplug": false,
"kname": "zram0",
"label": null,
"log-sec": 4096,
"maj:min": "253:0",
"maj": "253",
"min": "0",
"min-io": 4096,
"mode": "brw-rw----",
"model": null,
"mq": "1",
"name": "zram0",
"opt-io": 4096,
"owner": "root",
"partflags": null,
"partlabel": null,
"partn": null,
"parttype": null,
"parttypename": null,
"partuuid": null,
"path": "/dev/zram0",
"phy-sec": 4096,
"pkname": null,
"pttype": null,
"ptuuid": null,
"ra": 128,
"rand": false,
"rev": null,
"rm": false,
"ro": false,
"rota": false,
"rq-size": null,
"sched": null,
"serial": null,
"size": "3.8G",
"start": null,
"state": null,
"subsystems": "block",
"mountpoint": "[SWAP]",
"mountpoints": [
"[SWAP]"
],
"tran": null,
"type": "disk",
"uuid": null,
"vendor": null,
"wsame": "0B",
"wwn": null,
"zoned": "none",
"zone-sz": "0B",
"zone-wgran": "0B",
"zone-app": "0B",
"zone-nr": 0,
"zone-omax": 0,
"zone-amax": 0
}
]
}
For LUKS /home encryption there is a keyfile generated and stored under /etc/cryptsetup-keys.d/ and then added to cryptsetup /usr/bin/cryptsetup -q -v luksAddKey <key>.
This allows for automatic decryption during boot, so your /home is encrypted at rest.
Just to double-verify here, there is a prompt to unlock the root partition right?
If / is not encrypted, and thus no prompt, then the keyfile for /home would be exposed and that'd be bad :)
But as svartkanin says, normally you would encrypt / as well, making the keyfile safe and thus making it possible to auto-unlock using it.
I can confirm that there's no prompt to unlock anything at all. The only password that the system asks for to boot into the desktop is my user account password in order to log into my user account. I can provide a video of the boot process via my cell phone if you'd like.
That is probably something to change in that case. I suppose when root+home are encrypted then the keyfile for home should be created but not for root as it is yhe case right now. But if pnly home is encrypted then no keyfile should be created
At this point it's simply a matter or programming something that solves the issue. I'd like to try and keep as much of the current logic as possible as it's pretty clean.
The partition logic that reports if it should be encrypted is nice:
- https://github.com/archlinux/archinstall/blob/52a795da6622f8c16f0004c76d5ee0169b97af8c/archinstall/lib/disk/device_model.py#L1206-L1211
And the hook that triggers the key-file generation is nice too:
- https://github.com/archlinux/archinstall/blob/52a795da6622f8c16f0004c76d5ee0169b97af8c/archinstall/lib/installer.py#L368-L370
So I'm thinking maybe it's better to introduce a check in the menu system or pre-check-conditions more specifically, that simply prohibits Install from being entered in the menu system until either / is encrypted as well, or /home is de-selected. That would be the simplest of solutions - at the cost of having only a encrypted home not being possible.
So the more "complex" solution would be to count our enc-partitions and prompt for password on list(encrypted_partitions, sort=mountpoint)[0] and do something like:
def _generate_key_files_partitions(self):
- for part_mod in self._disk_encryption.partitions:
+ for part_mod in list(self._disk_encryption.partitions, sort=mountpoint)[1:]:
gen_enc_file = self._disk_encryption.should_generate_encryption_file(part_mod)
(pseudo code obviously, but the whole [0] and [1:] idea might be good?)
Or:
- def _generate_key_files_partitions(self):
+ def _generate_key_files_partitions(self, ignore_partitions=[]):
And we could populate the ignore-list based on partitions already setup with password-unlock during boot?
I think I have a minimal patch going, will submit after testing