You are not logged in.

Pages: 1

#1 2022-10-11 12:50:14

u666sa
Member
Registered: 2020-08-01
Posts: 70

Encrypted /root with password in plymouth instead of grub?

I set up everything works. Even got rid of second password promp in plymouth. But it asks for password in grub, which is A) plain text ugly, and B) take about 1 minute (or two minutes) to decrypt.

Is there any way to not have grub ask for password and instead enter password in plymouth?

My configuration:

Fat32 boot EFI
SWAP
LUKS and on it btrfs root with compression


On my other laptop I have just home encrypted and there is a nice password promp during plymouth boot process. Through theme I get a nice graphical password box. I want something like this. If possible.

Offline

#2 2022-10-11 12:53:21

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,447

Re: Encrypted /root with password in plymouth instead of grub?

And how is it supposed to load plymouth when it's on an encrypted volume without unlocking?

Offline

#3 2022-10-11 12:54:39

u666sa
Member
Registered: 2020-08-01
Posts: 70

Re: Encrypted /root with password in plymouth instead of grub?

Carramba!

Offline

#4 2022-10-11 13:20:29

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Encrypted /root with password in plymouth instead of grub?

If you set up your EFI partition as /boot rather than have /boot on your encrypted volume then it isn't a problem as the plymouth hook will be in your unencrypted initramfs.

However, this will decrease the security of the setup as anyone with access to the machine could compromise the initramfs.

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#5 2022-10-14 05:15:02

u666sa
Member
Registered: 2020-08-01
Posts: 70

Re: Encrypted /root with password in plymouth instead of grub?

Slithery wrote:

If you set up your EFI partition as /boot rather than have /boot on your encrypted volume then it isn't a problem as the plymouth hook will be in your unencrypted initramfs.

However, this will decrease the security of the setup as anyone with access to the machine could compromise the initramfs.

Please tell me more. Because I went up and down arch wiki and did multiple reboots, thinking that I should be able to do what I want, just to end up chrooting and redoing my changes. What do I have to do to make plymouth ask me for password? 

/dev/mmcblk0p1     2048   1128447   1126400  550M EFI System
/dev/mmcblk0p2  1128448  13711359  12582912    6G Linux swap
/dev/mmcblk0p3 13711360 122140671 108429312 51.7G Linux filesystem

As you can see I have /boot/EFI unencrypted regular FAT32 partition.
Regular swap partition (because on btrfs you can't have COW if you have swap file)
and then /root with is encrypted with LUKS_1 and is on btrfs

MODULES=(intel_agp i915)
FILES=(/root/cryptlvm.keyfile) 
HOOKS=(base udev plymouth keyboard autodetect keymap consolefont  modconf block plymouth-encrypt filesystems fsck)
COMPRESSION="zstd" 
 GRUB_DEFAULT=0                                                                                                                                                    
 4 GRUB_TIMEOUT=5                                                                                                                                                    
 5 GRUB_DISTRIBUTOR="Arch"                                                                                                                                           
 6 GRUB_CMDLINE_LINUX_DEFAULT="intel_pstate=active splash loglevel=4 i915.enable_guc=3 enable_fbc=1 fastboot=1 lsm=lockdown,yama,apparmor,bpf apparmor=1 mitigation> 
 7 ##GRUB_CMDLINE_LINUX="cryptdevice=UUID=2666a31e-612d-4037-8297-4bd758fdaacc:root root=/dev/mapper/luks_root"                                                      
 8 GRUB_CMDLINE_LINUX="cryptdevice=/dev/mmcblk0p3:luks_root:allow-discards cryptkey=rootfs:/root/cryptlvm.keyfile"                                                   
 9                                                                                                                                                                   
10 # Preload both GPT and MBR modules so that they are not missed                                                                                                    
11 GRUB_PRELOAD_MODULES="btrfs zstd part_gpt part_msdos"                                                                                                             
12                                                                                                                                                                   
13 # Uncomment to enable booting from LUKS encrypted devices                                                                                                         
14 GRUB_ENABLE_CRYPTODISK=y

Offline

#6 2022-10-14 14:09:42

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,156

Re: Encrypted /root with password in plymouth instead of grub?

See https://wiki.archlinux.org/title/Dm-cry … ire_system. Almost all the scenarios involve non-encrypted /boot. Encrypting /boot and using a grub password is the exception.

The simplest approach is to mount the ESP to /boot, but you could make /boot a second unencrypted partition if you wanted to.

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Pages: 1

Board footer

Powered by FluxBB