1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • systemd-boot not asking password, not resuming from hibernate

    From Richard Rosner@21:1/5 to All on Sat Jan 6 20:30:01 2024
    This is a multi-part message in MIME format.
    I just tried out systemd-boot. What I noticed, it doesn't ask for my
    decryption password to decrypt both my LUKS2 encrypted root and swap
    partition. This kinda defeats the purpose of encrypted drives. How do I
    have systemd-boot forget and never again remember my credentials?

    For the installation, I just installed systemd-boot. Afterward I had to uncomment the timeout option in /boot/efi/loader/loader.conf so I would
    get the selection screen, but I didn't make any other modifications. So
    what exactly is missing?

    Adding to that, resume from hibernate doesn't seem to work. Resume is
    included in the options line in the /boot/efi/loader/entries files, it's
    also enabled in initramfs-tools, yet after powering on after
    hibernating, I'm not greeted with where I left off.

    PS: by any chance does anybody know if systemd-boot supports Argon2 KDF
    for LUKS2? I only know that Grub2 doesn't (yet), but it's difficult to
    find the specific documentation on systemd-boot.

    <!DOCTYPE html>
    <html data-lt-installed="true">
    <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    </head>
    <body style="padding-bottom: 1px;">
    <p>I just tried out systemd-boot. What I noticed, it doesn't ask for
    my decryption password to decrypt both my LUKS2 encrypted root and
    swap partition. This kinda defeats the purpose of encrypted
    drives. How do I have systemd-boot forget and never again remember
    my credentials?</p>
    <p>For the installation, I just installed systemd-boot. Afterward I
    had to uncomment the timeout option in
    /boot/efi/loader/loader.conf so I would get the selection screen,
    but I didn't make any other modifications. So what exactly is
    missing?</p>
    <p>Adding to that, resume from hibernate doesn't seem to work.
    Resume is included in the options line in the
    /boot/efi/loader/entries files, it's also enabled in
    initramfs-tools, yet after powering on after hibernating, I'm not
    greeted with where I left off.<br>
    </p>
    <p>PS: by any chance does anybody know if systemd-boot supports
    Argon2 KDF for LUKS2? I only know that Grub2 doesn't (yet), but
    it's difficult to find the specific documentation on systemd-boot.</p>
    <lt-container></lt-container>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From David Wright@21:1/5 to Richard Rosner on Sun Jan 7 18:30:03 2024
    On Sat 06 Jan 2024 at 20:04:57 (+0100), Richard Rosner wrote:
    I just tried out systemd-boot. What I noticed, it doesn't ask for my decryption password to decrypt both my LUKS2 encrypted root and swap partition. This kinda defeats the purpose of encrypted drives. How do
    I have systemd-boot forget and never again remember my credentials?

    I'm assuming that when you boot, you do get /one/ prompt for your
    passphrase, and not zero. If it doesn't ask /again/ after that,
    then I'd guess that it's storing something somewhere.

    In the little I've read about this, I've come across a scheme where
    Grub writes an initrd file in memory and appends it to your main
    initrd(s) so that the kernel can read it later.

    For the installation, I just installed systemd-boot. Afterward I had
    to uncomment the timeout option in /boot/efi/loader/loader.conf so I
    would get the selection screen, but I didn't make any other
    modifications. So what exactly is missing?

    Adding to that, resume from hibernate doesn't seem to work. Resume is included in the options line in the /boot/efi/loader/entries files,
    it's also enabled in initramfs-tools, yet after powering on after hibernating, I'm not greeted with where I left off.

    I don't use hibernation. I close down desktops because I can remotely
    boot them, and I leave laptops running as they consume trivial power.

    PS: by any chance does anybody know if systemd-boot supports Argon2
    KDF for LUKS2? I only know that Grub2 doesn't (yet), but it's
    difficult to find the specific documentation on systemd-boot.

    You probably need to follow appropriate lists if you want to stay
    up to date.

    Cheers,
    David.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Rosner@21:1/5 to David Wright on Sun Jan 7 19:30:01 2024
    This is a multi-part message in MIME format.
    On 07.01.24 18:07, David Wright wrote:
    On Sat 06 Jan 2024 at 20:04:57 (+0100), Richard Rosner wrote:
    I just tried out systemd-boot. What I noticed, it doesn't ask for my
    decryption password to decrypt both my LUKS2 encrypted root and swap
    partition. This kinda defeats the purpose of encrypted drives. How do
    I have systemd-boot forget and never again remember my credentials?
    I'm assuming that when you boot, you do get /one/ prompt for your
    passphrase, and not zero. If it doesn't ask /again/ after that,
    then I'd guess that it's storing something somewhere.

    Nope, there's absolutely none. It just boots straight into the system,
    just as I said. Hence, I literally named this topic "systemd-boot *not
    asking* password". If it wouldn't ask again, that would just be the as
    expected behavior you'll also get from Grub. It makes no sense to ask
    for every encrypted partition when the passphrase is the same.


    In the little I've read about this, I've come across a scheme where
    Grub writes an initrd file in memory and appends it to your main
    initrd(s) so that the kernel can read it later.
    I kinda doubt that, like a lot. Maybe update-initramfs does pull in
    information from the Grub config, but otherwise there's no indication to
    that. It does pass parameters you put into the /etc/default/grub to the
    Kernel though.
    For the installation, I just installed systemd-boot. Afterward I had
    to uncomment the timeout option in /boot/efi/loader/loader.conf so I
    would get the selection screen, but I didn't make any other
    modifications. So what exactly is missing?

    Adding to that, resume from hibernate doesn't seem to work. Resume is
    included in the options line in the /boot/efi/loader/entries files,
    it's also enabled in initramfs-tools, yet after powering on after
    hibernating, I'm not greeted with where I left off.
    I don't use hibernation. I close down desktops because I can remotely
    boot them, and I leave laptops running as they consume trivial power.
    Good for you, not my use case.
    PS: by any chance does anybody know if systemd-boot supports Argon2
    KDF for LUKS2? I only know that Grub2 doesn't (yet), but it's
    difficult to find the specific documentation on systemd-boot.
    You probably need to follow appropriate lists if you want to stay
    up to date.
    That's just how not to do things. Software should be well documented,
    otherwise it should be replaced by something that is. Systemd replaced
    SysV Init as a service starter because it was much easier to handle and
    not just a pile of historical garbage nobody understands anymore. The
    same should be kept for other systemd services.
    <!DOCTYPE html>
    <html data-lt-installed="true">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body style="padding-bottom: 1px;">
    <div class="moz-cite-prefix">On 07.01.24 18:07, David Wright wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:ZZraVHWAhzojibUB@axis.corp">
    <pre class="moz-quote-pre" wrap="">On Sat 06 Jan 2024 at 20:04:57 (+0100), Richard Rosner wrote:
    </pre>
    <blockquote type="cite">
    <pre class="moz-quote-pre" wrap="">I just tried out systemd-boot. What I noticed, it doesn't ask for my
    decryption password to decrypt both my LUKS2 encrypted root and swap
    partition. This kinda defeats the purpose of encrypted drives. How do
    I have systemd-boot forget and never again remember my credentials?
    </pre>
    </blockquote>
    <pre class="moz-quote-pre" wrap="">
    I'm assuming that when you boot, you do get /one/ prompt for your
    passphrase, and not zero. If it doesn't ask /again/ after that,
    then I'd guess that it's storing something somewhere.</pre>
    </blockquote>
    <p>Nope, there's absolutely none. It just boots straight into the
    system, just as I said. Hence, I literally named this topic
    "systemd-boot <b>not asking</b> password". If it wouldn't ask
    again, that would just be the as expected behavior you'll also get
    from Grub. It makes no sense to ask for every encrypted partition
    when the passphrase is the same.</p>
    <p><br>
    </p>
    <blockquote type="cite" cite="mid:ZZraVHWAhzojibUB@axis.corp">
    <pre class="moz-quote-pre" wrap="">In the little I've read about this, I've come across a scheme where
    Grub writes an initrd file in memory and appends it to your main
    initrd(s) so that the kernel can read it later.</pre>
    </blockquote>
    I kinda doubt that, like a lot. Maybe update-initramfs does pull in
    information from the Grub config, but otherwise there's no
    indication to that. It does pass parameters you put into the
    /etc/default/grub to the Kernel though.<br>
    <blockquote type="cite" cite="mid:ZZraVHWAhzojibUB@axis.corp">
    <pre class="moz-quote-pre" wrap="">
    </pre>
    <blockquote type="cite">
    <pre class="moz-quote-pre" wrap="">For the installation, I just installed systemd-boot. Afterward I had
    to uncomment the timeout option in /boot/efi/loader/loader.conf so I
    would get the selection screen, but I didn't make any other
    modifications. So what exactly is missing?

    Adding to that, resume from hibernate doesn't seem to work. Resume is
    included in the options line in the /boot/efi/loader/entries files,
    it's also enabled in initramfs-tools, yet after powering on after
    hibernating, I'm not greeted with where I left off.
    </pre>
    </blockquote>
    <pre class="moz-quote-pre" wrap="">
    I don't use hibernation. I close down desktops because I can remotely
    boot them, and I leave laptops running as they consume trivial power.</pre>
    </blockquote>
    Good for you, not my use case.<br>
    <blockquote type="cite" cite="mid:ZZraVHWAhzojibUB@axis.corp">
    <pre class="moz-quote-pre" wrap="">
    </pre>
    <blockquote type="cite">
    <pre class="moz-quote-pre" wrap="">PS: by any chance does anybody know if systemd-boot supports Argon2
    KDF for LUKS2? I only know that Grub2 doesn't (yet), but it's
    difficult to find the specific documentation on systemd-boot.
    </pre>
    </blockquote>
    <pre class="moz-quote-pre" wrap="">
    You probably need to follow appropriate lists if you want to stay
    up to date.
    </pre>
    </blockquote>
    That's just how not to do things. Software should be well
    documented, otherwise it should be replaced by something that is.
    Systemd replaced SysV Init as a service starter because it was much
    easier to handle and not just a pile of historical garbage nobody
    understands anymore. The same should be kept for other systemd
    services.<br>
    </body>
    <lt-container></lt-container>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)