[SOLVED] GRUB2 long decrypt time for encrypted /boot

afaye · 2017-08-06 19:45:23

I noticed that it takes approx 10s to load Arch boot menu after entering the password for an encrypted /boot partition for GRUB2.
I was experimenting with it, and I couldn't work out why it takes so long.
Would anyone may have an explanation?

I hope this is enough information.
(There is no virtualisation, shutdown literally powers off the entire hardware)

gdisk (GPT)
/dev/sdc1  /boot/esp  FAT32  128Mb  (Using UEFI)
/dev/sdc2  /boot         ext4      512Mb
/dev/sdc3  /root          ext4      110Gb

# /boot takes 10s or more for GRUB to decrypt to boot menu
cryptsetup --hash sha512 --cipher aes-xts-plain64 --verify-passphrase --key-size 512 --use-random --iter-time 10 luksFormat /dev/sdc2
cryptsetup open /dev/sdc2 bootcrypt   # Invocation takes 1-2s

# / (root) takes 3-5s to decrypt when mounting /
cryptsetup --hash sha512 --cipher aes-xts-plain64 --verify-passphrase --key-size 512 --use-random --iter-time 3000 luksFormat /dev/sdc3
cryptsetup open /dev/sdc3 rootcrypt

/etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="cryptdevice=UUID=somestring:bootcrypt root=/dev/mapper/rootcrypt"
GRUB_PRELOAD_MODULES="part_gpt part_msdos luks cryptodisk"
GRUB_ENABLE_CRYPTODISK=y

/etc/mkinitcpio.conf has the "encrypt" hook after "block" device

Last edited by afaye (2017-08-07 13:10:24)

R00KIE · 2017-08-06 21:04:11

If you tell us more how you encrypted /boot, how many slots you are using and which slot will get decrypted with the password you enter, then we can try to help you.

afaye · 2017-08-06 22:06:58

Thanks for your response. I was going to copy and paste a luksDump in my original post, but because I have not setup my GUI and am missing copy/paste functionality, I didn't include my luksDump. I hope this is ok here ...

1. How did I encrypt my /boot?

cryptsetup --hash sha512 --cipher aes-xts-plain64 --verify-passphrase --key-size 512 --use-random --iter-time 10 luksFormat /dev/sdc2

2. How many key slots are there?
I had 3 key slots:
I was also experimenting with adding and deleting keys, and I ended up with the following right now:
a) Key Slot 0 - Iterations = 3670248
b) Key Slot 1 - Iterations = 12278 (It was supplied with a 1Mb File to see how to add keyfile)
c) Key Slot 2 - Iterations = 12427 (This key slot is the password used)

3. Which slot will get decrypted with the password?
It is the c) key slot (Key Slot 2) which will get decrypted by grub.

4. I am also trying to enable debug mode:
https://wiki.archlinux.org/index.php/GR … g_messages
and ... I am also trying to work out where to put it inside my grub.conf file without breaking it.
Just trying to read more on grub and its boot process as well to see whether I can enable more logging and where to look at logging ... just things like that.

Last edited by afaye (2017-08-06 22:08:22)

R00KIE · 2017-08-07 09:44:36

afaye wrote:

2. How many key slots are there?
I had 3 key slots:
I was also experimenting with adding and deleting keys, and I ended up with the following right now:
a) Key Slot 0 - Iterations = 3670248
b) Key Slot 1 - Iterations = 12278 (It was supplied with a 1Mb File to see how to add keyfile)
c) Key Slot 2 - Iterations = 12427 (This key slot is the password used)
3. Which slot will get decrypted with the password?
It is the c) key slot (Key Slot 2) which will get decrypted by grub.

Then grub will also decode slots 0 and 1. It doesn't know in advance which one will decrypt with the password you provided so it will test them all until it manages to decrypt a slot. From the looks of it your slot 0 may take a while to try, and is most probably the cause of the delay you are seeing.

afaye · 2017-08-07 13:06:35

Thank you.

Yes of course !! What you said made perfect sense !!

I changed my LUKS header to look like this:
2 Key Slots:
a) Key Slot 0, iterations 1242 (to decrypt GRUB, like 10ms or something, can't remember exact timing when I luksAddKey)
b) Key Slot 1, iterations 12457 (This is just that 1Mb File for crypttab)

And yes !! Decrypt time now super fast !! So happy.

So indeed ... it was trying to decrypt all my keys with long iteration time in GRUB.
(Gosh I think I had, at one point, filled up all key slots ... <shudder>)

Thanks heaps.

Last edited by afaye (2017-08-07 13:09:22)

R00KIE · 2017-08-07 15:29:12

Just to add/clarify, cryptsetup and I assume grub will only keep trying until they find one slot that decrypts successfully, you could have all slots filled with long iteration times, if the first one that is tried can be decrypted with the password you provide then it stops there.

On another note, from a security point of view you want to have an iteration time as long as you can tolerate, this assuming you are concerned about someone trying to bruteforce your decryption password.

Arch Linux

#1 2017-08-06 19:45:23

[SOLVED] GRUB2 long decrypt time for encrypted /boot

#2 2017-08-06 21:04:11

Re: [SOLVED] GRUB2 long decrypt time for encrypted /boot

#3 2017-08-06 22:06:58

Re: [SOLVED] GRUB2 long decrypt time for encrypted /boot

#4 2017-08-07 09:44:36

Re: [SOLVED] GRUB2 long decrypt time for encrypted /boot

#5 2017-08-07 13:06:35

Re: [SOLVED] GRUB2 long decrypt time for encrypted /boot

#6 2017-08-07 15:29:12

Re: [SOLVED] GRUB2 long decrypt time for encrypted /boot

Board footer