Enter encryption password twice?

Yes, sorry, yet another annoying question - but if I don’t ask I’ll never know right?

On installation I chose encryption, and have the following setup -

Hard Disk: /dev/sdb:
Device: /dev/sdb

Size: 447.13 GiB
Encrypted: No
Partition: /dev/sdb1:
Device: /dev/sdb1
Size: 8.00 MiB
Encrypted: No
Device Path: pci-0000:3b:00.0-usb-0:1:1.0-scsi-0:0:0:0-part1
Device ID 1: ata-SanDisk_Ultra_II_480GB_161317802218-part1
Device ID 2: wwn-0x5001b448b4489bee-part1
Partition ID: BIOS Boot  

Partition: /dev/sdb2
Device: /dev/sdb2
Size: 447.12 GiB
Encrypted: Yes
Device Path: pci-0000:3b:00.0-usb-0:1:1.0-scsi-0:0:0:0-part2
Device ID 1: ata-SanDisk_Ultra_II_480GB_161317802218-part2
Device ID 2: wwn-0x5001b448b4489bee-part2
Partition ID: Linux LVM

Only sdb2 is encrypted, but on boot I have to enter the password twice - once pre-grub2 menu, then once again post-grub2.

Can someone tell me if this is normal behavior or have I done something wrong, and why I have to do it twice?


First a general remark, please copy/paste not only the (some) output from your terminla, but complete, with the prompt/command line at the top and the new prompt at the bottom. This so we can see what you saw and know what you did. Now we have only some output, but have to guess what you did to get it.

Then, to give you a quick first answer, as you may have understood, the fisrt password is asked by Grub, because it has to read parts of your system to start it to boot and second time the operating system asks for it to be able to mount and use the root file system. Thus, yes, that is normal.

How to avoid?
Others may have some nice solution (special @nrickert), but one way might be to use a separate unencrypted /boot partition.

Ah, that makes sense, thanks.

Yes, this is normal behavior.

My normal setup is to use a separate unencrypted “/boot”. And, in that case, I only need to enter the passphrase once. However, I do have a Tumbleweed system where “/boot” is part of the root partition, and there I have to enter the passphrase twice.

I also have a system in a virtual machine, where “/boot” is part of the root partition, and I only need to enter the passphrase once (for grub booting). I’ll get to that shortly.

Here’s the general story:

  • If you use a separate unencrypted boot, you only need to enter the passphrase once (for use by the kernel). In this case grub2 does not need the passphrase.
  • If you are using “btrfs”, then it is best to not use a separate unencrypted “/boot”. That’s because a “btrfs” rollback cannot roll back to an earlier kernel than is in “/boot”.
  • If “/boot” is part of what is encrypted, then “grub2” needs the passphrase to access the boot information (menu, kernel, “initrd”).
  • There is currently no safe way for grub2 to communicate the passphrase to the booting kernel. About the only way it could do that, would be with a command line argument to the kernel. But command line arguments to the kernel are visible (in “/proc/cmdline”).

As for the workaround:

You can put the encryption key in a file, with the file path in “/etc/crypttab”. That way the key can be read from the file system. The tricky part is that the key needs to be read before the file system is available. So you have to force that copy of the encryption key into the “initrd” file. Fortunately, the “initrd” is readable only by root. But I personally question the wisdom of that, which is why I am only doing it in one virtual machine. If you want details, ask in a follow up post in this thread.

I know this is an older topic and the OP didn’t ask for details but this thread came up in my googling and I think other people might find the details useful. The good thing is that it’s actually part of openSUSE wiki now: SDB:Encrypted root file system - openSUSE Wiki

Yes, it is. In fact, I gave that link in my response in a more recent thread on this topic.