I just set up a machine with Leap 15 (I wiped the hard drive and Leap is the only OS installed btw). Since then, on boot, I am asked for my grub password. Grub2 will tell me it needs to decrypt the master key for “hd0, gpt” (I think that’s what’s written).
I cannot remember to have actively asked for an encrypted boot menu, and since my LVM is encrypted anyway, I find it rather annoying. I have the suspicion, that somewhere in the installation process, something forced this onto my – lucky enough, it took my root password for it :X.
Anyway, I’d like to get rid of this … but in /etc/grub.d/40_custom (kindof where I’d expect it), there is no ‘password’ line; In fact, none of the files in */etc/grub.d/ *even contains the string ‘password’, and /boot/grub2/grub.cfg does neither. Yes, I ran grub2-mkconfig -o /boot/grub2/grub.cfg, and no, in YaST the checkbox is un-ticked … but still, I am prompted for my password every time I boot the PC. What’s wrong here?
Oh, and btw: Yes, I could re-install openSUSE, that wouldn’t bother me much – but since I didn’t actively opt-in for any grub encryption this time, I just feel it won’t be very helpful.
Is grub on the LVM? if so it must be decrypted to run grub before it can load the OS. If you don’t want the grub password install /boot to it’s own not encrypted partition
Sorry, it’s all in German (I didn’t expect that …), but my understanding is, that /boot = /dev/nvme0n1p1 is the unencrypted part, and the rest is the encrypted LVM. Is that correct?
Here’s how it looks from YaST, if that’s more helpful (still German, I should really switch my installation language back to English). https://i.imgur.com/4wZxvbC.jpg
The EFI partition is partition 1. Part of the boot data is there. But part of it is in the encrypted LVM. And that’s why you need to give a password during boot.
You could have a separate unencrypted “/boot”, which would avoid this issue. However, I’m guessing that you are using “btrfs” for your root file system. And with “btrfs” the grub data (in “/boot/grub2”) needs to be in that root file system, and not a separate partition. That’s because if you ever want to rollback to an older snapshot, you have to roll back the boot configuration at the same time.
So best to just learn to live with this encryption key prompt from grub2.
Ah, I see … that’s also plausible wrt my old installation, where I didn’t use LVM, and only had /home encrypted (and wasn’t asked to provide by PW during boot). Maybe I’ll kick out LVM with my next installation then …