Can't Have No Grub Password

Hi Geekos!

I just set up a machine with Leap 15 (I wiped the hard drive and Leap is the only OS installed btw). Since then, on boot, I am asked for my grub password. Grub2 will tell me it needs to decrypt the master key for “hd0, gpt” (I think that’s what’s written).

I cannot remember to have actively asked for an encrypted boot menu, and since my LVM is encrypted anyway, I find it rather annoying. I have the suspicion, that somewhere in the installation process, something forced this onto my – lucky enough, it took my root password for it :X.

Anyway, I’d like to get rid of this … but in /etc/grub.d/40_custom (kindof where I’d expect it), there is no ‘password’ line; In fact, none of the files in */etc/grub.d/ *even contains the string ‘password’, and /boot/grub2/grub.cfg does neither. Yes, I ran grub2-mkconfig -o /boot/grub2/grub.cfg, and no, in YaST the checkbox is un-ticked … but still, I am prompted for my password every time I boot the PC. What’s wrong here?

Oh, and btw: Yes, I could re-install openSUSE, that wouldn’t bother me much – but since I didn’t actively opt-in for any grub encryption this time, I just feel it won’t be very helpful.

Any ideas, anybody? Thanks in advance!

Is grub on the LVM? if so it must be decrypted to run grub before it can load the OS. If you don’t want the grub password install /boot to it’s own not encrypted partition

Show fdisk -l

Hi, here’s my fdisk:


Festplatte /dev/nvme0n1: 477 GiB, 512110190592 Bytes, 1000215216 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes
Festplattenbezeichnungstyp: gpt
Festplattenbezeichner: E01CFDA8-555B-4FDA-860E-13F8A13EA49F

Gerät           Anfang       Ende  Sektoren  Größe Typ
/dev/nvme0n1p1    2048    1026047   1024000   500M EFI-System
/dev/nvme0n1p2 1026048 1000215182 999189135 476,5G Linux LVM


Festplatte /dev/mapper/cr_nvme0n1p2: 476,5 GiB, 511582739968 Bytes, 999185039 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes


Festplatte /dev/mapper/system-swap: 2 GiB, 2147483648 Bytes, 4194304 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes


Festplatte /dev/mapper/system-root: 96 GiB, 103079215104 Bytes, 201326592 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes


Festplatte /dev/mapper/system-home: 300 GiB, 322122547200 Bytes, 629145600 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes

Sorry, it’s all in German (I didn’t expect that …), but my understanding is, that /boot = /dev/nvme0n1p1 is the unencrypted part, and the rest is the encrypted LVM. Is that correct?

Here’s how it looks from YaST, if that’s more helpful (still German, I should really switch my installation language back to English).
https://i.imgur.com/4wZxvbC.jpg

The EFI partition is partition 1. Part of the boot data is there. But part of it is in the encrypted LVM. And that’s why you need to give a password during boot.

You could have a separate unencrypted “/boot”, which would avoid this issue. However, I’m guessing that you are using “btrfs” for your root file system. And with “btrfs” the grub data (in “/boot/grub2”) needs to be in that root file system, and not a separate partition. That’s because if you ever want to rollback to an older snapshot, you have to roll back the boot configuration at the same time.

So best to just learn to live with this encryption key prompt from grub2.

Ah, I see … that’s also plausible wrt my old installation, where I didn’t use LVM, and only had /home encrypted (and wasn’t asked to provide by PW during boot). Maybe I’ll kick out LVM with my next installation then …