Arch Linux

Is it possible Fedora is using /dev/urandom even if it had asked me to enter a passphrase when creating the 2nd device which happens to be a swap device?

Sorry, I'm struggling to follow. Please explain what behavior you want, and what entries you have in crypttab.

/etc/default/grub
GRUB_CMD_LINE_DEFAULT="quiet cryptdevice=DEV:NAME"

/etc/crypttab
[...]
OTHERNAME OTHERDEV none

When I installed Fedora it asked me for a passphrase for DEV and OTHERDEV. In the test I had used the same passphrase for both and was surprised that I was only asked to enter one passphrase. Either the OTHERDEV which was SWAP didn't actually use the passphrase and use a random key on each boot or it did re-try the previously entered passphrase before asking.

Can you follow or do you need more info?

You can use the SWAP keyword in the password field and it won't ask you for a passphrase.

(I find it extremely unlikely that Fedora is checking previously entered passwords.)

I also find that highly unlikely. That's a good idea.

I tried but it failed. Anything wrong or missing somewhere?

/etc/crypttab
OTHERNAME OTHERDEV /dev/urandom swap,cipher=aes-xts-plain64:sha512,size=512

/etc/fstab
OTHERDEV swap swap defaults 0 0 # UUID won't work because different each time, isn't it?

It fails with this error:
Activating swap [BUSY] swapon: /dev/mapper/OTHERNAME: read swap header failed: Invalid argument
Mon Jul 23 10:05:09 2012: [FAIL]

Seems like some step doesn't realize it has to mkswap. Or does it get tried to swapon too early?

Ah, never mind my suggestion to use the SWAP keyword; that's only used in the old crypttab format and you're using the new one.

@Tom: It looks like that 'if IFS=, in_array swap [..]' check is failing, and thus mkswap is never run. See what I mean:

$ source /etc/rc.d/functions
$ options=swap,cipher=aes-xts-plain64:sha512,size=512
$ if IFS=, in_array swap ${options[@]}; then echo win; else echo fail; fi # IFS isn't taken into account here
fail
$ IFS=,
$ if in_array swap ${options[@]}; then echo win; else echo fail; fi # here it works
win

Hm, I'm not able to reproduce this. I have:

crypttab:
swap /dev/vda2 /dev/urandom swap
tmp /dev/vda3 /dev/urandom tmp

fstab:
/dev/mapper/swap none swap defaults 0 0
/dev/mapper/tmp /tmp ext2 defaults 0 0

And it works fine:
[ 2.948659] EXT4-fs (dm-1): mounting ext2 file system using the ext4 subsystem
[ 2.969752] Adding 262140k swap on /dev/mapper/swap. Priority:-1 extents:1 across:262140k

@c: your fstab seems to be wrong. It should not be "OTHERDEV", but /dev/mapper/OTHERNAME.

@Tom: Your configuration works because you only have 'swap' in options. If you have more options separated by commas, you need to have IFS set correctly.

Some more example code: (I believe this is the correct way to handle IFS changes, by saving and then restoring its old value.)

$ source /etc/rc.d/functions
$ options=swap
$ in_array swap ${options[@]} && echo works
works
$ options=swap,kittens
$ in_array swap ${options[@]} && echo works
$ SAVEIFS=$IFS IFS=,
$ in_array swap ${options[@]} && echo works
works
$ IFS=$SAVEIFS

@tomegun: Sorry for the wrong text. I do have /dev/mapper/OTHERNAME in there.
What crypto options does it use if I omit the last field as in your example?

@foutrelis: ah... thanks.

> What crypto options does it use if I omit the last field as in your example?

Try, it will print what it uses on the console ;-)

@c,foutrelis: thanks for your input on this bug. should be fixed in git now.