Grub2-efi asks for passphrase although boot partition is unencrypted

Hi everyone!

I set up Leap 15 with full disk encryption (LVM on LUKS). I understood that I have to create a separate unencrypted boot partition if I wish to avoid entering a passphrase twice upon system boot. I thought that the partition layout I created would serve this goal with sda1 being unencrypted and mounted to /boot/efi. However, Grub2-efi asks for the passphrase for “hd0,gpt2” every time the system is booted. After selecting Leap to boot, I have to enter the passphrase again (for the kernel, obviously, as there is no way for Grub to pass the key I entered). This is what lsblk says:

sda                 8:0    0   477G  0 disk  
├─sda1              8:1    0   500M  0 part  /boot/efi
└─sda2              8:2    0 476,5G  0 part  
  └─cr_sda2       254:0    0 476,5G  0 crypt 
    ├─system-swap 254:1    0   7,7G  0 lvm   [SWAP]
    ├─system-root 254:2    0    25G  0 lvm   /
    └─system-home 254:3    0 443,8G  0 lvm   /home

What am I missing? I can’t find a solution to my problem in other threads as these only deal with encrypted boot partitions. I don’t understand why I’m required to enter a passphrase for Grub although sda1 is unencrypted (at least it seems to me it is).

Sorry in advance if there is still relevant information missing or you may find the style of my post poor - it’s my first one here.

Any ideas appreciated!

When older threads talk about an unencrypted boot partition, they are referring to “/boot” and not to “/boot/efi”.

If you have a separate unencrypted “/boot” then you won’t have this problem. However, for you the directory “/boot” is in your root file system so it is inside the encrypted LVM. That’s why grub2 needs a password to read its menu.

My practice: I happily enter the encryption password twice. But that’s only when I don’t have a separate unencrypted “/boot”.

I should maybe add that if you are using “btrfs” for the root file system, then it is better to NOT have a separate “/boot”. You need “/boot” to be part of the root file system if you want to be able to roll back to an earlier snapshot.

Other possibilities: you can put the encryption password into a file. Make it a file that is only readable by root. And you have to configure “dracut” to copy that file into the “initrd”. If you do it that way, then you still need to give the password to “grub”, but you won’t be asked a second time. I personally do not recommend this, but I do have it working in a virtual machine (just for testing). There was an earlier thread on this, though I don’t have a link handy.

A second possibility is to install most of the grub2-efi stuff into your EFI partition (or “/boot/efi”). I think there’s actually a way to configure it as a “stand alone” grub. And then you also have to copy the kernel and “initrd” files to the EFI partition. But the disadvantage of this, is that you will have to repeat the same steps after every kernel update. So it is probably a bad idea.

Thank you very much - that gives me a better understanding of what is happening. I see the difference between “/boot/efi” and “/boot” and will now try to really set up a separate unencrypted “/boot” as I’m not using “btrfs”.

Fair enough. Then I would suggest 500M for the “/boot” partition. Actually, 200M should be enough, but it is good to have some spare space.

Thanks again - 500M “/boot” worked like a charm.

I’m glad it is now working well for you.

Thanks, this thread helped me a lot. I had the same issue.

In my opinion it is currently not a good idea to recommend encrypting /root, because you can’t change the locale for the grub password prompt see In practice it is not possible to enter a secure password containing special chars with a wrong keyboard layout. That’s the reason, why the password key file fix is not a usable option for me either.

I assume you mean /? Because /root is the home directory of user root and should never be on a separate partition. And this thread is not discussing /root at all.