You are not logged in.
Greetings everyone,
GRUB giving headaches as usual...
I'm trying to set up a particular setup consisting of the EFI partition and two luks2 encrypted partitions, so boot is encrypted too.
I know that GRUB (not the improved version) doesn't support luks2 with argon2id for the boot partition as of now, but is it the same for other partitions as well?
I just want to add the second system (luks2 with argon2id and sha512 hash) to GRUB, already installed in the first one.
As I select the entry in the menu, asks me the passphrase but immediately after, without even checking, it tells me that the passphrase is invalid and there is no such device as {root_uuid}.
Here my attempt for the entry in 40_custom, inspired from the main working entry (created automatically):
menuentry 'Linux' --class gnu-linux --class gnu --class os {
load_video
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod btrfs
cryptomount -u {luks_uuid}
set root='cryptouuid/{luks_uuid}'
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/{luks_uuid}' {root_uuid}
echo 'Loading Linux ...'
linux /@/boot/vmlinuz-* root=UUID={root_uuid} ro rootflags=subvol=@ loglevel=4 rd.auto=1 rd.luks.allow-discards
echo 'Loading initial ramdisk ...'
initrd /@/boot/initramfs-*
}Does this kind of setup even make sense? I just wanted to have two encrypted systems (the first one less secure as luks2 is "compromised") that share the same GRUB. Am I missing something?
As I have to decrypt the first partition for the menu, does this mean that in order to boot from the second one I decrypt both?
Last edited by hertz (2025-05-06 22:55:06)
Offline
Ok, so I confirmed that's for all the argon2 partitions, I don't know why I interpreted just for the encrypted boot ones.
https://wiki.archlinux.org/title/GRUB#LUKS2, as always RTFM (better).
https://savannah.gnu.org/bugs/?55093, here the open issue. Seems that a solution could come "soon".
Solutions we have, as GRUB adds full luks2 support:
Just rollback temporarily to luks1 altogether, convert to pbkdf2 or better, create a new keyslot with pbkdf2 (works with sha512 too).
Use the luks2 improved, even if it has its own implementation.
Switch bootloader.
Let me know if there are better solutions for now.
Thanks!
Offline