Depends on what the init script that asks the password of you is doing with it.
If it's systemd
, it might just be a feature. systemd-ask-password
comes with a cache functionality that might be responsible.
https://www.freedesktop.org/software/systemd/man/systemd-ask-password.html
--accept-cached
If passed, accept cached passwords, i.e. passwords previously entered.
--multiple
When used in conjunction with --accept-cached accept multiple passwords.
This will output one password per line.
In this fashion it would first try the passwords you already entered, and only ask for another passwords if that didn't work.
The downside of such an idea is that checking a password takes 1 second of CPU time with LUKS, so if you had a lot of LUKS containers, these attempts might slow you down. But most people have only one or two and it's actually not uncommon for them to use the same passphrase.
I actually couldn't locate the source code specifically responsible for this, so the above is only conjecture and I have no idea if this is a feature you could choose to disable somehow.
Found what seems to be the responsible code, see it here on Github.
There's a for loop that starts with tries = 0
and increments tries
by one each iteration.
This loop calls get_password()
with bool accept_cached
set to true if tries == 0 && !arg_verify
. So if there are already passwords cached in the first iteration of the loop, it will just return the cached passwords. If those don't work, next iteration with tries == 1
sets accept_cached
to false and only then it will ask you to provide another passphrase to try with.
The list of passwords is passed on to attach_luks_or_plain()
. This will be the previously cached password(s) in the first iteration, and the single new password in all following ones, so it won't re-try previously tried passwords (unless perhaps if you keep typing in the same one).
As for keeping passwords plaintext in memory, the list of passwords is declared as a _cleanup_strv_free_erase_ char **passwords = NULL;
so that at least makes it sounds like cleanup will be taken care of properly at some point.
Keys are always in memory somewhere, that much can't be helped, crypt needs masterkey to work, as long as the container is open, you can always see it with dmsetup table --showkeys
.
It seems like you normally have arg_tries = 3
three attempts to enter a working passphrase, but if you have multiple containers and the cached passwords didn't work, it will only give you two tries to enter the passphrase, since the cached password attempt already counts as the first try. I have no encrypted systemd machine to test if this is true or I'm just misreading the code somewhere.
Best Answer
If you want to overwrite the data of the encrypted disk with non-encrypted data anyway (i.e. you don't care about the current contents), you don't have to unlock the drive/partition first.
If the partition has a particular uncommon partition type, you might want to change that, but it is not necessary. You can just use
mkfs.ext4
(or any filesystem type you prefer) on the partition which contains the LUKS encrypte partition.