Results 1 to 10 of 10

Thread: GRUB2 decryption password enter twice

  1. #1
    Join Date
    Jun 2017
    Posts
    3

    Exclamation GRUB2 decryption password enter twice

    Hi,

    I've installer Tumbleweed and I must enter password twice to boot system. Fristly I get screen:

    Welcome to GRUB!
    Attempting to decrypt master key....
    Enter passphrase for hd1,gpt3 (d309etc...etc...etc...):

    And after that, when I chose OS I must decrypt once more LVM partition with the same password.

    How can I disable first decryption prompt?

    Thanks in advance.

  2. #2
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,862

    Default Re: GRUB2 decryption password enter twice

    Install a separate boot partition about 500 meg mounted as /boot

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,589
    Blog Entries
    3

    Default Re: GRUB2 decryption password enter twice

    Quote Originally Posted by gogalthorp View Post
    Install a separate boot partition about 500 meg mounted as /boot
    Yes, that would do it.

    My understanding, perhaps wrong, is that if you do this and are using "btrfs", then you lose the ability to boot from an older snapshot.
    openSUSE Leap 15.2 Beta; KDE Plasma 5;

  4. #4
    Join Date
    Jun 2017
    Posts
    3

    Default Re: GRUB2 decryption password enter twice

    When I install with 'create partition setup' and LVM encryption I got mentioned problem.
    I've tried to install manually with same password for all encrypted partitions. The following setup is:
    sdb1, EFI boot, FAT, 500 MiB, unencrypted
    sdb2, swap, 8 GiB, encrypted
    sdb3, root, BtrFS, 40 GiB, encrypted
    sdb4, home, XFS, 175 GiB, encrypted

    and I get message:
    ---------------------------------------------
    Failure occured during the following action:
    Setting up encrypted dm device on /dev/sdb3

    VOLUME_CRYPTSETUP_FAILED

    System error code was: -3034

    Continue despite the error?
    ---------------------------------------------


    Where am I wrong?

  5. #5
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,862

    Default Re: GRUB2 decryption password enter twice

    You need a password for each and every partition you encrypt. Does not matter if it is the same password must be entered for each encrypted partition.

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,589
    Blog Entries
    3

    Default Re: GRUB2 decryption password enter twice

    Quote Originally Posted by Zfk View Post
    When I install with 'create partition setup' and LVM encryption I got mentioned problem.
    Here's what you are missing.

    The first password you enter is for grub, so that it can access the boot information.

    The second password is for the kernel, so that it can mount the encrypted file systems.

    There is no secure way for grub to pass the encryption password directly to the kernel. I suppose the kernel developers and the grub developers could design a way of doing this, but they have not done that. So you have to enter the key twice.

    The only ways to avoid this, as far as I know, are:
    1. Have a separate unencrypted "/boot". But then you cannot boot from an older "btrfs" snapshot, because the boot information is not part of that snapshot.
    2. Pass the encryption key to the kernel in a different way. At least one person has found a way of putting the encryption key inside the "initrd" in a way that can be accessed during boot. Personally, I am doubtful that this is sufficiently secure, so I won't try it.


    I'll note that, on one of my computers, I have to enter the encryption key twice. I'm not finding it all that much of a bother.

    There are probably ways of installing grub on a USB key, and having the encryption password in a file there. If you could get that to work, you would plug in the USB to boot, then unplug it. You would not have to enter the encryption password at all. I am not considering that, because boot information would have to be regularly updated on that USB key, such as whenever there is a kernel update or the "initrd" is rebuilt. And, with Tumbleweed, that happens with almost every update. So it seems like more of a headache than just entering the encryption key twice.

    I've tried to install manually with same password for all encrypted partitions. The following setup is:
    sdb1, EFI boot, FAT, 500 MiB, unencrypted
    sdb2, swap, 8 GiB, encrypted
    sdb3, root, BtrFS, 40 GiB, encrypted
    sdb4, home, XFS, 175 GiB, encrypted
    As far as I know, that is not currently supported. You can have the root file system part of an encrypted LVM, but there isn't support for having a root partition directly encrypted. And that would not solve your problem, even if you could get it working. There would still be the problem that grub has to unencrypt, and then later the kernel has to unencrypt, with no way for grub to pass the encryption key to the kernel.
    openSUSE Leap 15.2 Beta; KDE Plasma 5;

  7. #7
    Join Date
    Jun 2017
    Posts
    3

    Default Re: GRUB2 decryption password enter twice

    Firstly thank you all for help, especialy nrickert for detailed exsplanation.

    When I came to Linux community this was my first distro, and after long time I decieded to came back to my roots.
    Maybe it is bother because my decryption passwords are aproximately 30 caracter long. Fedora and Manjaro didn't had this problem. In Fedora you needed to enter password after grub menu, and in Manjaro you needed to enter password before booting and than choose OS and run directly.

    I'll give once more a shot for openSUSE, because I really think that is great disro, especially for great KDE integration.

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,589
    Blog Entries
    3

    Default Re: GRUB2 decryption password enter twice

    Quote Originally Posted by Zfk View Post
    In Fedora you needed to enter password after grub menu, and in Manjaro you needed to enter password before booting and than choose OS and run directly.
    That's the way it is working on my main desktop (with Leap 42.2). That's because I have a separate "/boot". So I can get the grub menu without an encryption key. I need to enter it once, for the kernel. However, I cannot get the full benefits of "btrfs" that way. I actually decided, for other reasons, to use "ext4" rather than "btrfs", so that's not a problem for me. "Fedora" and "Manjaro" are probably not using "btrfs".

    There's another option you might want to consider. Just don't encrypt the root file system at all. Use an encrypted LVM only for swap and "/home". You can then setup "/tmp" to be mounted as "tmpfs" file system, so that it uses memory or swap. There isn't much sensitive data in the root file system, so maybe you don't need it to be encrypted. If I wanted to use "btrfs", but only enter the encryption key once, then I think that's what I would do.
    openSUSE Leap 15.2 Beta; KDE Plasma 5;

  9. #9
    Join Date
    Sep 2012
    Posts
    5,503

    Default Re: GRUB2 decryption password enter twice

    Quote Originally Posted by nrickert View Post
    ... I have a separate "/boot" ... I cannot get the full benefits of "btrfs" that way ... "Fedora" and "Manjaro" are probably not using "btrfs".
    It is not "btrfs" but ability to rollback using snapper in (open)SUSE which expects /boot to be part of /. It has nothing to do with "btrfs" per se but with how (open)SUSE uses it.

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,589
    Blog Entries
    3

    Default Re: GRUB2 decryption password enter twice

    Yes, agreed. But that ability to rollback is supposed to be one of the benefits of using "btrfs".
    openSUSE Leap 15.2 Beta; KDE Plasma 5;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •