Hi,
I’ve installer Tumbleweed and I must enter password twice to boot system. Fristly I get screen:
Welcome to GRUB!
Attempting to decrypt master key…
Enter passphrase for hd1,gpt3 (d309etc…etc…etc…):
And after that, when I chose OS I must decrypt once more LVM partition with the same password.
How can I disable first decryption prompt?
Thanks in advance.
Install a separate boot partition about 500 meg mounted as /boot
Yes, that would do it.
My understanding, perhaps wrong, is that if you do this and are using “btrfs”, then you lose the ability to boot from an older snapshot.
When I install with ‘create partition setup’ and LVM encryption I got mentioned problem.
I’ve tried to install manually with same password for all encrypted partitions. The following setup is:
sdb1, EFI boot, FAT, 500 MiB, unencrypted
sdb2, swap, 8 GiB, encrypted
sdb3, root, BtrFS, 40 GiB, encrypted
sdb4, home, XFS, 175 GiB, encrypted
Failure occured during the following action:
Setting up encrypted dm device on /dev/sdb3
VOLUME_CRYPTSETUP_FAILED
System error code was: -3034
Where am I wrong?
You need a password for each and every partition you encrypt. Does not matter if it is the same password must be entered for each encrypted partition.
Here’s what you are missing.
The first password you enter is for grub, so that it can access the boot information.
The second password is for the kernel, so that it can mount the encrypted file systems.
There is no secure way for grub to pass the encryption password directly to the kernel. I suppose the kernel developers and the grub developers could design a way of doing this, but they have not done that. So you have to enter the key twice.
The only ways to avoid this, as far as I know, are:
I’ll note that, on one of my computers, I have to enter the encryption key twice. I’m not finding it all that much of a bother.
There are probably ways of installing grub on a USB key, and having the encryption password in a file there. If you could get that to work, you would plug in the USB to boot, then unplug it. You would not have to enter the encryption password at all. I am not considering that, because boot information would have to be regularly updated on that USB key, such as whenever there is a kernel update or the “initrd” is rebuilt. And, with Tumbleweed, that happens with almost every update. So it seems like more of a headache than just entering the encryption key twice.
I’ve tried to install manually with same password for all encrypted partitions. The following setup is:
sdb1, EFI boot, FAT, 500 MiB, unencrypted
sdb2, swap, 8 GiB, encrypted
sdb3, root, BtrFS, 40 GiB, encrypted
sdb4, home, XFS, 175 GiB, encrypted
As far as I know, that is not currently supported. You can have the root file system part of an encrypted LVM, but there isn’t support for having a root partition directly encrypted. And that would not solve your problem, even if you could get it working. There would still be the problem that grub has to unencrypt, and then later the kernel has to unencrypt, with no way for grub to pass the encryption key to the kernel.
Firstly thank you all for help, especialy nrickert for detailed exsplanation.
When I came to Linux community this was my first distro, and after long time I decieded to came back to my roots.
Maybe it is bother because my decryption passwords are aproximately 30 caracter long. Fedora and Manjaro didn’t had this problem. In Fedora you needed to enter password after grub menu, and in Manjaro you needed to enter password before booting and than choose OS and run directly.
I’ll give once more a shot for openSUSE, because I really think that is great disro, especially for great KDE integration.
That’s the way it is working on my main desktop (with Leap 42.2). That’s because I have a separate “/boot”. So I can get the grub menu without an encryption key. I need to enter it once, for the kernel. However, I cannot get the full benefits of “btrfs” that way. I actually decided, for other reasons, to use “ext4” rather than “btrfs”, so that’s not a problem for me. “Fedora” and “Manjaro” are probably not using “btrfs”.
There’s another option you might want to consider. Just don’t encrypt the root file system at all. Use an encrypted LVM only for swap and “/home”. You can then setup “/tmp” to be mounted as “tmpfs” file system, so that it uses memory or swap. There isn’t much sensitive data in the root file system, so maybe you don’t need it to be encrypted. If I wanted to use “btrfs”, but only enter the encryption key once, then I think that’s what I would do.
It is not “btrfs” but ability to rollback using snapper in (open)SUSE which expects /boot to be part of /. It has nothing to do with “btrfs” per se but with how (open)SUSE uses it.
Yes, agreed. But that ability to rollback is supposed to be one of the benefits of using “btrfs”.