full disk encryption and entering twice the password to boot system


I want to install Opensuse 42.3 and use fulll disk encryption. I already installed opensuse in Virtualbox, but now I have to must enter password twice to boot system. How can I change this during the installation?

I will state I don’t use VirtualBox.

If the BIOS is UEFI then the first password is to decrypt /boot/efi
The second is to decrypt the rest of the partitions.

I assume if the bios is not UEFI, but the /boot is on its own partition it would be for the same reason.

By placing /boot/grub2 and sub-directories on non-encrypted filesystem. Actually this should even enable snapper rollback … although I have never tried it and I am not sure how yast behave in this case. Try and tell us :slight_smile:

This just demonstrates how confusing words “full disk encryption” are without actually explaining what had been done and how this encryption is implemented. I’m pretty sure that the first prompt is from grub2 to access /boot/grub2.


Thank you for your answers! I ask this question because the system doesn’t asks me to enter the password twice when I’m using Debian or Ubuntu. I also installed Opensuse on my hard disk and then I also have to enter the password twice.

It does not ask me even once on all of my openSUSE VMs. Again - unless you tell us what you actually did during installation all that you get will be wild guesses.

Fair enough. I stand corrected.I never actually looked at how the /boot/efi was setup in the default full disk encryption setup. What I get for assuming.

Hum…re-reading this. Are you saying snapper rollback does not function under the “default” way of installing full disk encryption?

Of course it does, but then you are prompted twice (at least). Actually sorry, I was wrong. Even if /boot/grub2 will be on unencrypted filesystem, grub still needs to read kernel so it must have access to /boot. And moving /boot outside of (encrypted) root will disable rollback.

If you use a separate unencrypted “/boot”, then you won’t have to enter the password twice.

However, if you are using “btrfs” for root file system, then a separate boot is not recommended. You might loose the ability to boot from an older snapshot.

As for why you are prompted twice:

The first prompt is by “grub2”. It needs the password to be able to read “/boot/grub2/grub.cfg”, where the boot menu is defined.

The second prompt is by the kernel, though passed to you via plymouth/dracut, etc. The kernel needs to password to make the encrypted file system available while the system is up and running.

There isn’t any secure way, as far as I know, for grub2 to communicate the password to the kernel.

For the record:

I am entering the encryption password once for 42.3, because I have a separate “/boot”.
I am entering it twice for Leap 15.0 (now a release candidate), where I do not have a separate “/boot”.

I’ve become used to entering twice. I don’t find it such an annoyance anymore.

I’ve noticed with opensuse Tumbleweed, that there is only one entry now for password on booting, but it’s GRUB that’s asking, and not openSUSE. I think that’s a mistake. I find this when I install opensuse. There’s an option there to encrypt the boot options too, but even though it’s unchecked, opensuse still treats it as if it is checked. That means that you have to enter a password, just to see the booting options. Even though it’s unchecked, I still get grub’s query for the password. The problem with that, is that GRUB doesn’t output to HDMI while asking, so that means I have to lift up the lid for the computer to see the prompt, and if my screen happened to get broken, then I’m in trouble. As it is now, the grub password prompt shows, but it should not be there. grub should already be showing the bootloader screen, and then if you happen to choose to boot a system that is password-protected, then ask for the password. But what if you want to boot another system that is not encrypted? grub will ask for the password for the other encrypted system, even though you don’t want to boot that one, right? At least with opensuse and not grub asking for the password, then the output shows up through HDMI.

Operating System: openSUSE Tumbleweed 20230216
KDE Plasma Version: 5.27.0
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8
Kernel Version: 6.1.8-1-default (64-bit)
Graphics Platform: X11

@as-muncher please stop posting in old threads, start a new topic on your issues.