Gnome Disks encryption key change, Grub2 boot problem

OpenSUSE Tumbleweed, I changed encryption password with Gnome Disks and Grub2 wouldn’t accept any password upon rebooting.

I’m posting this here because while it is not a bug it is a feature that tripped me up and hopefully this will save someone a little anxiety.

Gnome Disks (gnome-disk-utility 46.0, UDisks 2.10.1 (built against 2.10.0))
Grub2 (2.12-22.1)

Problem:

My laptop wouldn’t boot into Tumbleweed because GRUB wouldn’t accept any password after changing the password using the Disks app in Gnome, on a week old install.

Solution: I booted from a OpenSUSE Tumbleweed USB drive using the rescure option and manually added a new key by running this command after logging in as root:

crypsetup luksAddKey --pbkdf pbkdf2 /dev/drivename

After validating that I knew the argon2id created by Disks it created a new pbkdf2 key which is accepted by Grub2.

Causes:

Gnome disks changes the encrypted volume’s key to an argon2id and deleted the existing pbkdf2 key. Grub2 does not work with argon2id keys. I slowly arrived at this solution by being able to mount the drive (and its subvolumes) using:

cryptsetup luksOpen /dev/drivename my_drive
sudo mount /dev/mapper/my_drive /mnt

Then reading fstab from /mnt/etc, Doing so let me know that two days of work wasn’t lost and that a key had been accepted. I then used:

crypsetup luksDump /dev/drivename

And found the argon2id key only. A brief online search for Grub2 and argon2id showed it was generally not supported by Grub2. From there I found a way of adding an alternative key that was accepted. Breaking stuff is an effective but unpleasant way of learning new things.

Replication (not verified):

Install Tumbleweed with an encrypted btrfs main partition (I pretty much stuck to defaults) then change encryption key with Gnome Disks and reboot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.